From: Pablo Neira Ayuso <pablo-Cap9r6Oaw4JrovVCs/uTlw@public.gmane.org>
To: Thomas Graf <tgraf-G/eBtMaohhA@public.gmane.org>
Cc: Daniel Mack <daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>,
htejun-b10kYP2dOMg@public.gmane.org,
daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org,
ast-b10kYP2dOMg@public.gmane.org,
davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org,
kafai-b10kYP2dOMg@public.gmane.org,
fw-HFFVJYpyMKqzQB+pC5nmwQ@public.gmane.org,
harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
sargun-GaZTRHToo+CzQB+pC5nmwQ@public.gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs
Date: Thu, 22 Sep 2016 11:21:38 +0200 [thread overview]
Message-ID: <20160922092138.GA12108@salvia> (raw)
In-Reply-To: <20160921184827.GA15732-4EA/1caXOu0mYvmMESoHnA@public.gmane.org>
On Wed, Sep 21, 2016 at 08:48:27PM +0200, Thomas Graf wrote:
> On 09/21/16 at 05:45pm, Pablo Neira Ayuso wrote:
> > On Tue, Sep 20, 2016 at 06:43:35PM +0200, Daniel Mack wrote:
> > > The point is that from an application's perspective, restricting the
> > > ability to bind a port and dropping packets that are being sent is a
> > > very different thing. Applications will start to behave differently if
> > > they can't bind to a port, and that's something we do not want to happen.
> >
> > What is exactly the problem? Applications are not checking for return
> > value from bind? They should be fixed. If you want to collect
> > statistics, I see no reason why you couldn't collect them for every
> > EACCESS on each bind() call.
>
> It's not about applications not checking the return value of bind().
> Unfortunately, many applications (or the respective libraries they use)
> retry on connect() failure but handle bind() errors as a hard failure
> and exit. Yes, it's an application or library bug but these
> applications have very specific exceptions how something fails.
> Sometimes even going from drop to RST will break applications.
>
> Paranoia speaking: by returning errors where no error was returned
> before, undefined behaviour occurs. In Murphy speak: things break.
>
> This is given and we can't fix it from the kernel side. Returning at
> system call level has many benefits but it's not always an option.
>
> Adding the late hook does not prevent filtering at socket layer to
> also be added. I think we need both.
I have a hard time to buy this new specific hook, I think we should
shift focus of this debate, this is my proposal to untangle this:
You add a net/netfilter/nft_bpf.c expression that allows you to run
bpf programs from nf_tables. This expression can either run bpf
programs in a similar fashion to tc+bpf or run the bpf program that
you have attached to the cgroup.
To achieve this, I'd suggest you also add a new bpf chain type. That
new chain type would basically provide raw access to netfilter hooks
via nf_tables netlink interface. This bpf chain would exclusively
take rules that use this new bpf expression.
I see good things on this proposal:
* This is consistent to what we offer via tc+bpf.
* It becomes easily visible to the user that a bpf program is running
from the packet path, or any cgroup+bpf filtering is going on. Thus,
no matter what those orchestrators do, this filtering becomes
visible to sysadmins that are familiar with the existing command line
tooling.
* You get access to all of the existing netfilter hooks in one go.
A side note on this: I would suggest this conversation focuses on
discussing aspects at a slightly higher level rather than counting raw
load and stores instructions... I think this effort requires looking
at the whole forest, instead barfing at one single tree. Genericity
always comes at a slight cost, and to all those programmability fans
here, please remember we have a generic stack between hands after all.
So let's try to accomodate this new requirements in a way that makes
sense.
Thanks.
next prev parent reply other threads:[~2016-09-22 9:21 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-19 16:43 [PATCH v6 0/6] Add eBPF hooks for cgroups Daniel Mack
2016-09-19 16:43 ` [PATCH v6 1/6] bpf: add new prog type for cgroup socket filtering Daniel Mack
[not found] ` <1474303441-3745-1-git-send-email-daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-19 16:43 ` [PATCH v6 2/6] cgroup: add support for eBPF programs Daniel Mack
2016-09-19 16:43 ` [PATCH v6 4/6] net: filter: run cgroup eBPF ingress programs Daniel Mack
2016-09-19 16:44 ` [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs Daniel Mack
2016-09-19 19:19 ` Pablo Neira Ayuso
2016-09-19 19:30 ` Daniel Mack
[not found] ` <ac88bb4c-ab7c-1f74-c7fd-79e523b50ae4-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-19 20:35 ` Pablo Neira Ayuso
2016-09-19 20:56 ` Daniel Mack
2016-09-20 14:29 ` Pablo Neira Ayuso
2016-09-20 16:43 ` Daniel Mack
[not found] ` <6584b975-fa3e-8d98-f0c7-a2c6b194b2b6-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-21 15:45 ` Pablo Neira Ayuso
2016-09-21 18:48 ` Thomas Graf
[not found] ` <20160921184827.GA15732-4EA/1caXOu0mYvmMESoHnA@public.gmane.org>
2016-09-22 9:21 ` Pablo Neira Ayuso [this message]
2016-09-22 9:54 ` Thomas Graf
[not found] ` <20160922095411.GA5654-4EA/1caXOu0mYvmMESoHnA@public.gmane.org>
2016-09-22 12:05 ` Pablo Neira Ayuso
2016-09-22 15:12 ` Daniel Borkmann
[not found] ` <57E3F4F9.70300-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2016-09-22 15:53 ` Daniel Mack
2016-09-23 13:17 ` [PATCH v6 5/6] net: ipv4, ipv6: run cgroup ebpf " Pablo Neira Ayuso
2016-09-26 10:10 ` Daniel Borkmann
2016-09-20 16:53 ` [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF " Thomas Graf
2016-09-19 20:13 ` Alexei Starovoitov
2016-09-19 20:39 ` Pablo Neira Ayuso
[not found] ` <20160919201322.GA84770-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-09-19 21:28 ` Thomas Graf
[not found] ` <1474303441-3745-6-git-send-email-daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-20 5:44 ` kbuild test robot
2016-10-21 5:32 ` [PATCH v6 0/6] Add eBPF hooks for cgroups David Ahern
2016-09-19 16:43 ` [PATCH v6 3/6] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands Daniel Mack
2016-09-19 16:44 ` [PATCH v6 6/6] samples: bpf: add userspace example for attaching eBPF programs to cgroups Daniel Mack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160922092138.GA12108@salvia \
--to=pablo-cap9r6oaw4jrovvcs/utlw@public.gmane.org \
--cc=ast-b10kYP2dOMg@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org \
--cc=daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=fw-HFFVJYpyMKqzQB+pC5nmwQ@public.gmane.org \
--cc=harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=htejun-b10kYP2dOMg@public.gmane.org \
--cc=kafai-b10kYP2dOMg@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=sargun-GaZTRHToo+CzQB+pC5nmwQ@public.gmane.org \
--cc=tgraf-G/eBtMaohhA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).