From: David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
To: ast-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org
Cc: mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org,
dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
hannes-tFNcAqjVMyqKXQKiL6tip0B+6BGkLq7r@public.gmane.org,
edumazet-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH net-next 3/6] samples: bpf: example of stateful socket filtering
Date: Sat, 29 Nov 2014 21:01:58 -0800 (PST) [thread overview]
Message-ID: <20141129.210158.2021042941461629799.davem@davemloft.net> (raw)
In-Reply-To: <1417066951-1999-4-git-send-email-ast-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
From: Alexei Starovoitov <ast-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
Date: Wed, 26 Nov 2014 21:42:28 -0800
> this socket filter example does:
> - creates arraymap in kernel with key 4 bytes and value 8 bytes
>
> - loads eBPF program:
> r0 = skb[14 + 9]; // load one byte of ip->proto
...
> + BPF_LD_ABS(BPF_B, 14 + 9 /* R0 = ip->proto */),
I do not want anything having to do with fixed offsets from
the skb.
Nothing should know where things are in the SKB structure,
especially user facing things.
That's why we have explicit BPF operations for fetching
specific SKB members, so that the layout is completely
transparent to the entity generating BPF programs.
Besides retaining the flexibility of changing the SKB
layout arbitrarily without breaking bpf programs, there
are also security considerations from allowing bpf
programs to load arbitrary offsets.
Sorry, I do not like this patch series at all.
next prev parent reply other threads:[~2014-11-30 5:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-27 5:42 [PATCH net-next 0/6] allow eBPF programs to be attached to sockets Alexei Starovoitov
2014-11-27 5:42 ` [PATCH net-next 1/6] bpf: verifier: add checks for BPF_ABS | BPF_IND instructions Alexei Starovoitov
2014-11-27 5:42 ` [PATCH net-next 2/6] net: sock: allow eBPF programs to be attached to sockets Alexei Starovoitov
2014-11-27 5:42 ` [PATCH net-next 3/6] samples: bpf: example of stateful socket filtering Alexei Starovoitov
[not found] ` <1417066951-1999-4-git-send-email-ast-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2014-11-30 5:01 ` David Miller [this message]
[not found] ` <20141129.210158.2021042941461629799.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-11-30 6:24 ` Alexei Starovoitov
2014-11-27 5:42 ` [PATCH net-next 4/6] samples: bpf: elf_bpf file loader Alexei Starovoitov
2014-11-27 5:42 ` [PATCH net-next 5/6] samples: bpf: trivial eBPF program in C Alexei Starovoitov
2014-11-27 5:42 ` [PATCH net-next 6/6] samples: bpf: large " Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141129.210158.2021042941461629799.davem@davemloft.net \
--to=davem-ft/pcqaiutieiz0/mpfg9q@public.gmane.org \
--cc=ast-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org \
--cc=dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=edumazet-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=hannes-tFNcAqjVMyqKXQKiL6tip0B+6BGkLq7r@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).