Hi David,
The following pull-request contains BPF updates for your *net-next* tree.
The main changes are:
1) Allow for RX stack hardening by implementing the kernel's flow
dissector in BPF. Idea was originally presented at netconf 2017 [0].
Quote from merge commit:
[...] Because of the rigorous checks of the BPF verifier, this
provides significant security guarantees. In particular, the BPF
flow dissector cannot get inside of an infinite loop, as with
CVE-2013-4348, because BPF programs are guaranteed to terminate.
It cannot read outside of packet bounds, because all memory accesses
are checked. Also, with BPF the administrator can decide which
protocols to support, reducing potential attack surface. Rarely
encountered protocols can be excluded from dissection and the
program can be updated without kernel recompile or reboot if a
bug is discovered. [...]
Also, a sample flow dissector has been implemented in BPF as part
of this work, from Petar and Willem.
[0] http://vger.kernel.org/netconf2017_files/rx_hardening_and_udp_gso.pdf
2) Add support for bpftool to list currently active attachment
points of BPF networking programs providing a quick overview
similar to bpftool's perf subcommand, from Yonghong.
3) Fix a verifier pruning instability bug where a union member
from the register state was not cleared properly leading to
branches not being pruned despite them being valid candidates,
from Alexei.
4) Various smaller fast-path optimizations in XDP's map redirect
code, from Jesper.
5) Enable to recognize BPF_MAP_TYPE_REUSEPORT_SOCKARRAY maps
in bpftool, from Roman.
6) Remove a duplicate check in libbpf that probes for function
storage, from Taeung.
7) Fix an issue in test_progs by avoid checking for errno since
on success its value should not be checked, from Mauricio.
8) Fix unused variable warning in bpf_getsockopt() helper when
CONFIG_INET is not configured, from Anders.
9) Fix a compilation failure in the BPF sample code's use of
bpf_flow_keys, from Prashant.
10) Minor cleanups in BPF code, from Yue and Zhong.
Please consider pulling these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git
Thanks a lot!
----------------------------------------------------------------
The following changes since commit 428f944bd58607021b5a1f85d145c0b50f908c6f:
netlink: Make groups check less stupid in netlink_bind() (2018-09-05 22:11:33
-0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git
for you to fetch changes up to d0e13a1488ad30dc3c2c9347b931cb10f892e3a4:
flow_dissector: lookup netns by skb->sk if skb->dev is NULL (2018-09-25
17:31:19 +0200)
----------------------------------------------------------------
Alexei Starovoitov (4):
bpf/verifier: fix verifier instability
Merge branch 'progarray_mapinmap_dump'
Merge branch 'bpf-flow-dissector'
selftests/bpf: fix bpf_flow.c build
Anders Roxell (1):
net/core/filter: fix unused-variable warning
Jesper Dangaard Brouer (3):
xdp: unlikely instrumentation for xdp map redirect
xdp: explicit inline __xdp_map_lookup_elem
xdp: split code for map vs non-map redirect
Mauricio Vasquez B (2):
selftests/bpf: add missing executables to .gitignore
selftests/bpf/test_progs: do not check errno == 0
Petar Penkov (5):
flow_dissector: implements flow dissector BPF hook
bpf: sync bpf.h uapi with tools/
bpf: support flow dissector in libbpf and bpftool
flow_dissector: implements eBPF parser
selftests/bpf: test bpf flow dissection
Prashant Bhole (1):
samples/bpf: fix compilation failure
Roman Gushchin (1):
bpftool: add support for BPF_MAP_TYPE_REUSEPORT_SOCKARRAY maps
Taeung Song (1):
libbpf: Remove the duplicate checking of function storage
Willem de Bruijn (2):
flow_dissector: fix build failure without CONFIG_NET
flow_dissector: lookup netns by skb->sk if skb->dev is NULL
Yonghong Song (9):
tools/bpf: sync kernel uapi header if_link.h to tools
tools/bpf: move bpf/lib netlink related functions into a new file
tools/bpf: add more netlink functionalities in lib/bpf
tools/bpf: bpftool: add net support
bpf: add bpffs pretty print for program array map
tools/bpf: bpftool: support prog array map and map of maps
tools/bpf: fix a netlink recv issue
tools/bpf: bpftool: improve output format for bpftool net
samples/bpf: fix a compilation failure
YueHaibing (1):
samples/bpf: remove duplicated includes
zhong jiang (1):
bpf: remove redundant null pointer check before consume_skb
include/linux/bpf.h | 1 +
include/linux/bpf_types.h | 1 +
include/linux/skbuff.h | 20 +
include/net/net_namespace.h | 3 +
include/net/sch_generic.h | 12 +-
include/uapi/linux/bpf.h | 26 +
kernel/bpf/arraymap.c | 25 +-
kernel/bpf/sockmap.c | 6 +-
kernel/bpf/syscall.c | 8 +
kernel/bpf/verifier.c | 48 +-
net/core/filter.c | 139 +++-
net/core/flow_dissector.c | 140 ++++
samples/bpf/bpf_load.c | 1 -
samples/bpf/sampleip_user.c | 1 -
samples/bpf/sockex2_kern.c | 11 +-
samples/bpf/sockex3_kern.c | 8 +-
samples/bpf/sockex3_user.c | 4 +-
samples/bpf/test_current_task_under_cgroup_user.c | 1 -
tools/bpf/bpftool/Documentation/bpftool-net.rst | 139 ++++
tools/bpf/bpftool/Documentation/bpftool.rst | 6 +-
tools/bpf/bpftool/bash-completion/bpftool | 17 +-
tools/bpf/bpftool/main.c | 3 +-
tools/bpf/bpftool/main.h | 8 +
tools/bpf/bpftool/map.c | 12 +-
tools/bpf/bpftool/net.c | 272 +++++++
tools/bpf/bpftool/netlink_dumper.c | 174 +++++
tools/bpf/bpftool/netlink_dumper.h | 95 +++
tools/bpf/bpftool/prog.c | 1 +
tools/include/uapi/linux/bpf.h | 26 +
tools/include/uapi/linux/if_link.h | 17 +
tools/lib/bpf/Build | 2 +-
tools/lib/bpf/bpf.c | 129 ----
tools/lib/bpf/libbpf.c | 4 +-
tools/lib/bpf/libbpf.h | 16 +
tools/lib/bpf/libbpf_errno.c | 1 +
tools/lib/bpf/netlink.c | 331 +++++++++
tools/lib/bpf/nlattr.c | 33 +-
tools/lib/bpf/nlattr.h | 38 +
tools/testing/selftests/bpf/.gitignore | 6 +
tools/testing/selftests/bpf/Makefile | 8 +-
tools/testing/selftests/bpf/bpf_flow.c | 373 ++++++++++
tools/testing/selftests/bpf/config | 1 +
tools/testing/selftests/bpf/flow_dissector_load.c | 140 ++++
tools/testing/selftests/bpf/test_flow_dissector.c | 782 +++++++++++++++++++++
tools/testing/selftests/bpf/test_flow_dissector.sh | 115 +++
tools/testing/selftests/bpf/test_progs.c | 20 +-
tools/testing/selftests/bpf/with_addr.sh | 54 ++
tools/testing/selftests/bpf/with_tunnels.sh | 36 +
48 files changed, 3083 insertions(+), 231 deletions(-)
create mode 100644 tools/bpf/bpftool/Documentation/bpftool-net.rst
create mode 100644 tools/bpf/bpftool/net.c
create mode 100644 tools/bpf/bpftool/netlink_dumper.c
create mode 100644 tools/bpf/bpftool/netlink_dumper.h
create mode 100644 tools/lib/bpf/netlink.c
create mode 100644 tools/testing/selftests/bpf/bpf_flow.c
create mode 100644 tools/testing/selftests/bpf/flow_dissector_load.c
create mode 100644 tools/testing/selftests/bpf/test_flow_dissector.c
create mode 100755 tools/testing/selftests/bpf/test_flow_dissector.sh
create mode 100755 tools/testing/selftests/bpf/with_addr.sh
create mode 100755 tools/testing/selftests/bpf/with_tunnels.sh
