Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp2490079rwl; Fri, 6 Jan 2023 07:09:16 -0800 (PST) X-Google-Smtp-Source: AMrXdXvrR+j6fY050ZtAFsEfAFsHX3XaseCOyqZU5O2wKlK9kf5kOanDHUHZsq1wgJET0jCD+I/b X-Received: by 2002:a50:ab53:0:b0:48e:bb39:cadd with SMTP id t19-20020a50ab53000000b0048ebb39caddmr13797225edc.4.1673017756631; Fri, 06 Jan 2023 07:09:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673017756; cv=none; d=google.com; s=arc-20160816; b=ArAS9uLwEYYwaGLVcJ7fmQ6AFM024zfapY7WAEWaZIctsmWQ7wHhqQbMOgkHNbOxoZ bG0hSfhvkzqoxWq7FLsFiGMaqgN6pb/d+ZumoVh47XyGuIBGID88RfeZM6BkUym2hEc3 Dy7fXzug+vTECHbHRMlokBLQuPzFxNhHigL98VBaAR7jUhiDBkA4BKSU+UM5H6iBMZTR skcb4df7dcctHOtraVEeDteIRFiSuSttCpmMsSXZJyCPyOwvMZz6eGF+mACgbzXHpA4t hx2QquxKi0Q+fsTBs/La64ImZ2eBjJ1cwRl8KxkvMphUIiBjS4s2TEE/60I5e0xhZK7p 0VRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=Q0iy+YQyfWOwSsOIeymTwc5hOVhn1q5gxrf2sZTgwhs=; b=k/wEJxzqGyjYFNEMyh08BJ+b+Bn+JSjziBLOxHXW9niWt6LjuoinYpARu5kuEmeXTS ihiqSIsRCkKXnBQHMUJKmO7MrVmVsUYEx+YgGXBYx/LGDKWv2vqZzLlOdLRKOoWyBpOK 2qZOBQMHr0LFgPiHYFPazObT8IYrmHJB0uxHkxa1Y1bYkCSWrs34zXJQ9hWUytisNmUq tSX6rmT8wPff3bkxrEK58/+0fthlkPt4EADiDkUZAhLYRZo6r8zKscDFz0v7Imd2KpBN iafVEPxSrbvjZbGSxXA+qNgd7BWqKkcFTqKH5IfdqppxDl8Ghx6f/LK2ugSCS0u9Mv2F r54w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z19-20020a056402275300b0048d5b18b00asi2090701edd.130.2023.01.06.07.09.02; Fri, 06 Jan 2023 07:09:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235411AbjAFOwB (ORCPT + 54 others); Fri, 6 Jan 2023 09:52:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235225AbjAFOvV (ORCPT ); Fri, 6 Jan 2023 09:51:21 -0500 Received: from 4.mo545.mail-out.ovh.net (4.mo545.mail-out.ovh.net [46.105.45.191]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BB4043A38 for ; Fri, 6 Jan 2023 06:51:19 -0800 (PST) Received: from ex4.mail.ovh.net (unknown [10.111.172.143]) by mo545.mail-out.ovh.net (Postfix) with ESMTPS id 943A22579B; Fri, 6 Jan 2023 14:43:48 +0000 (UTC) Received: from [192.168.1.125] (37.65.8.229) by DAG10EX1.indiv4.local (172.16.2.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Fri, 6 Jan 2023 15:43:40 +0100 Message-ID: <8773f286-74ba-4efb-4a94-0c1f91d959bd@naccy.de> Date: Fri, 6 Jan 2023 15:43:39 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 Subject: Re: [PATCH bpf-next v3 00/16] bpfilter Content-Language: fr To: Florian Westphal CC: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Mykola Lysenko , Shuah Khan , Dmitrii Banshchikov , , , , , Kernel Team References: <20221224000402.476079-1-qde@naccy.de> <20230103114540.GB13151@breakpoint.cc> From: Quentin Deslandes In-Reply-To: <20230103114540.GB13151@breakpoint.cc> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [37.65.8.229] X-ClientProxiedBy: CAS11.indiv4.local (172.16.1.11) To DAG10EX1.indiv4.local (172.16.2.91) X-Ovh-Tracer-Id: 3721662146057268988 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvhedrkedtgdeikecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkffggfgfuvfevfhfhjggtgfhisehtkeertddtfeejnecuhfhrohhmpefsuhgvnhhtihhnucffvghslhgrnhguvghsuceoqhguvgesnhgrtggthidruggvqeenucggtffrrghtthgvrhhnpeegtefggeegtedtfeefkedvkeefleeiffeludetlefhkeffffejkefhgeeludeftdenucfkphepuddvjedrtddrtddruddpfeejrdeihedrkedrvddvleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepoehquggvsehnrggttgihrdguvgeqpdhnsggprhgtphhtthhopedupdhrtghpthhtohepfhifsehsthhrlhgvnhdruggvpdhlihhnuhigqdhkshgvlhhfthgvshhtsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdgsphhfsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrghdpmhgvsehusghiqhhuvgdrshhpsgdrrhhupdhshhhurghhsehkvghrnhgvlhdrohhrghdpmhihkhholhgrlhesfhgsrdgtohhmpdhprggsvghnihesrhgvughhrghtrdgtohhmpdhkuhgsrgeskhgvrhhnvghlrdhorhhgpdgvughumhgrii gvthesghhoohhglhgvrdgtohhmpdgurghvvghmsegurghvvghmlhhofhhtrdhnvghtpdhjohhlshgrsehkvghrnhgvlhdrohhrghdphhgrohhluhhosehgohhoghhlvgdrtghomhdpshgufhesghhoohhglhgvrdgtohhmpdhkphhsihhnghhhsehkvghrnhgvlhdrohhrghdpjhhohhhnrdhfrghsthgrsggvnhgusehgmhgrihhlrdgtohhmpdihhhhssehfsgdrtghomhdpshhonhhgsehkvghrnhgvlhdrohhrghdpmhgrrhhtihhnrdhlrghusehlihhnuhigrdguvghvpdgrnhgurhhiiheskhgvrhhnvghlrdhorhhgpdgurghnihgvlhesihhoghgvrghrsghogidrnhgvthdprghstheskhgvrhhnvghlrdhorhhgpdhnvghtuggvvhesvhhgvghrrdhkvghrnhgvlhdrohhrghdpkhgvrhhnvghlqdhtvggrmhesmhgvthgrrdgtohhmpdfovfetjfhoshhtpehmohehgeehpdhmohguvgepshhmthhpohhuth X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 03/01/2023 à 12:45, Florian Westphal a écrit : > Quentin Deslandes wrote: >> The patchset is based on the patches from David S. Miller [1], >> Daniel Borkmann [2], and Dmitrii Banshchikov [3]. >> >> Note: I've partially sent this patchset earlier due to a >> mistake on my side, sorry for then noise. >> >> The main goal of the patchset is to prepare bpfilter for >> iptables' configuration blob parsing and code generation. >> >> The patchset introduces data structures and code for matches, >> targets, rules and tables. Beside that the code generation >> is introduced. >> >> The first version of the code generation supports only "inline" >> mode - all chains and their rules emit instructions in linear >> approach. >> >> Things that are not implemented yet: >> 1) The process of switching from the previous BPF programs to the >> new set isn't atomic. > > You can't make this atomic from userspace perspective, the > get/setsockopt API of iptables uses a read-modify-write model. This refers to updating the programs from bpfilter's side. It won't be atomic from iptables point of view, but currently bpfilter will remove the program associated to a table, before installing the new one. This means packets received in between those operations are not filtered. I assume a better solution is possible. > Tentatively I'd try to extend libnftnl and generate bpf code there, > since its used by both iptables(-nft) and nftables we'd automatically > get support for both. That's one of the option, this could also remain in the kernel tree or in a dedicated git repository. I don't know which one would be the best, I'm open to suggestions. > I was planning to look into "attach bpf progs to raw netfilter hooks" > in Q1 2023, once the initial nf-bpf-codegen is merged. Is there any plan to support non raw hooks? That's mainly out of curiosity, I don't even know whether that would be a good thing or not.