Re: [PATCH RFC PoC 0/3] nftables meets bpf

Hi Pablo, On 02/20/2018 11:58 AM, Pablo Neira Ayuso wrote: > On Mon, Feb 19, 2018 at 08:57:39PM +0100, Daniel Borkmann wrote: >> On 02/19/2018 05:37 PM, Pablo Neira Ayuso wrote: >> [...] >>> * Simplified infrastructure: We don't need the ebpf verifier complexity >

Re: [PATCH RFC 0/4] net: add bpfilter

On 02/20/2018 11:44 AM, Pablo Neira Ayuso wrote: > Hi David! > > On Mon, Feb 19, 2018 at 12:22:26PM -0500, David Miller wrote: > [...] >> Netfilter's chronic performance differential is why a lot of mindshare >> was lost to userspace networking technologies. > > Claiming that Netfilter is the

Re: [PATCH RFC PoC 0/3] nftables meets bpf

On 02/19/2018 05:37 PM, Pablo Neira Ayuso wrote: [...] > * Simplified infrastructure: We don't need the ebpf verifier complexity > either given we trust the code we generate from the kernel. We don't > need any complex userspace tooling either, just libnftnl and nft > userspace binaries. >

Re: [PATCH RFC 0/4] net: add bpfilter

Hi Florian, On 02/16/2018 05:14 PM, Florian Westphal wrote: > Florian Westphal <f...@strlen.de> wrote: >> Daniel Borkmann <dan...@iogearbox.net> wrote: >> Several questions spinning at the moment, I will probably come up with >> more: > > ... and here there

Re: [PATCH RFC 0/4] net: add bpfilter

Hi Florian, thanks for your feedback! More inline: On 02/16/2018 03:57 PM, Florian Westphal wrote: > Daniel Borkmann <dan...@iogearbox.net> wrote: >> This is a very rough and early proof of concept that implements bpfilter. > > [..] > >> Also, as a benefit fr

[PATCH RFC 3/4] net: initial bpfilter skeleton

From: "David S. Miller" Signed-off-by: David S. Miller Signed-off-by: Alexei Starovoitov --- include/linux/bpfilter.h | 13 +++ include/uapi/linux/bpfilter.h | 200 ++ net/Kconfig

[PATCH RFC 0/4] net: add bpfilter

1 +12) 16: (55) if r4 != 0x202a8c0 goto pc+1 17: (04) (u32) r5 += (u32) 1 18: (55) if r5 != 0x1 goto pc+2 19: (b4) (u32) r0 = (u32) 1 20: (95) exit 21: (b4) (u32) r0 = (u32) 2 22: (95) exit Thanks! Alexei Starovoitov (2): modules: allow insmod load regular elf binaries bpf: intro

[PATCH RFC 2/4] bpf: introduce bpfilter commands

From: Alexei Starovoitov Signed-off-by: Alexei Starovoitov --- include/uapi/linux/bpf.h | 16 kernel/bpf/syscall.c | 41 + 2 files changed, 57 insertions(+) diff --git a/include/uapi/linux/bpf.h

[PATCH RFC 1/4] modules: allow insmod load regular elf binaries

From: Alexei Starovoitov Signed-off-by: Alexei Starovoitov --- fs/exec.c | 40 +++- include/linux/binfmts.h | 1 + include/linux/umh.h | 4 kernel/module.c | 33

[PATCH RFC 4/4] bpf: rough bpfilter codegen example hack

Signed-off-by: Daniel Borkmann <dan...@iogearbox.net> --- include/uapi/linux/bpf.h| 31 +++-- kernel/bpf/syscall.c| 39 +++--- net/bpfilter/Makefile | 2 +- net/bpfilter/bpfilter.c | 59 + net/bpfilter/bpfilter_mod.h

Re: [PATCH v2] netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'

2 [2] https://marc.info/?l=netfilter-devel=150575727129880=2 Cc: Pablo Neira Ayuso <pa...@netfilter.org> Cc: Willem de Bruijn <will...@google.com> Reported-by: Rafael Buchbinder <r...@rbk.ms> Signed-off-by: Shmulik Ladkani <shmulik.ladk...@gmail.com> Acked-

Re: [PATCH] netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'

Hi Shmulik, On 10/09/2017 01:57 PM, Pablo Neira Ayuso wrote: On Mon, Oct 09, 2017 at 01:18:23PM +0200, Pablo Neira Ayuso wrote: On Fri, Oct 06, 2017 at 01:40:13PM -0400, Willem de Bruijn wrote: On Fri, Oct 6, 2017 at 12:02 PM, Shmulik Ladkani wrote: From: Shmulik Ladkani

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

Hi Willem, On 12/05/2016 09:28 PM, Willem de Bruijn wrote: From: Willem de Bruijn Add support for attaching an eBPF object by file descriptor. The iptables binary can be called with a path to an elf object or a pinned bpf object. Also pass the mode and path to the kernel

Re: [PATCH net-next] nfnetlink_queue: enable PID info retrieval

On 06/10/2016 12:21 AM, Daniel Borkmann wrote: On 06/09/2016 11:35 PM, Florian Westphal wrote: Saeed Mahameed <sae...@mellanox.com> wrote: index a1bd161..67de200 100644 --- a/net/socket.c +++ b/net/socket.c @@ -382,6 +382,7 @@ struct file *sock_alloc_file(struct socket *sock, int flags,

Re: [PATCH net-next] nfnetlink_queue: enable PID info retrieval

On 06/09/2016 11:35 PM, Florian Westphal wrote: Saeed Mahameed wrote: index a1bd161..67de200 100644 --- a/net/socket.c +++ b/net/socket.c @@ -382,6 +382,7 @@ struct file *sock_alloc_file(struct socket *sock, int flags, const char *dname) } sock->file =

Re: [PATCH nf-next] netfilter: meta: add PRANDOM support

On 02/16/2016 02:19 PM, Florian Westphal wrote: Daniel Borkmann <dan...@iogearbox.net> wrote: + case NFT_META_PRANDOM: + if (!prand_inited) { + prandom_seed_full_state(_prandom_state); + prand_inited

Re: [PATCH nf-next] netfilter: meta: add PRANDOM support

random_u32 directly. Unlike bpf nft_meta can be built as a module, so add an EXPORT_SYMBOL for prandom_seed_full_state too. Cc: Daniel Borkmann <dan...@iogearbox.net> Signed-off-by: Florian Westphal <f...@strlen.de> [...] @@ -241,6 +248,7 @@ int nft_meta_get_init(const struct nft_ctx *c