From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [RFC PATCH] kernel: Enable XDP Date: Wed, 24 Apr 2024 16:45:51 +0200 Message-ID: <4806B066-A8BE-4817-9D56-C317A3F4F2E0@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7445368556679565007==" List-Id: --===============7445368556679565007== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 22 Apr 2024, at 16:24, Vincent Li wrote: >=20 > On Sun, Apr 21, 2024 at 2:04=E2=80=AFPM Peter M=C3=BCller wrote: >>=20 >> Hello Michael, >>=20 >> thank you for working on this in particular and the SYNPROXY patchset. >>=20 >> If my understanding of the situation is correct, the changes this patch >> proposes would only be necessary for Vincent Li's DDoS mitigation that >> leverages XDP, which remains a custom setup IPFire otherwise does not >> support (in terms of having it documented, supported by the web interface, >> etc.). XDP is not configurable in the kernel. It is always compiled in as it depends= on the driver whether it is being implemented. What Vincent is asking for is to enable the BPF syscall. >> Frankly, I still think that the misuse potential of having XDP enabled >> outweighs the benefits of doing so, and I'd rather not see this attack >> surface being opened by default on IPFire systems, "just" to permit one >> single custom setup of which the exact nature and benefit still largely >> remains unclear to me. Personally, I'd much rather see the SYNPROXY patchs= et >> you submitted land in IPFire, be properly supported, and enabled by defaul= t. >=20 > What attack interface XDP exposed? I guess you mean the eBPF feature > enabled in general > could expose attack interfaces. the kernel config I suggested as I > researched, only enable > XDP/TC network functionality, no tracing functionality ( which > requires admin privilege even enabled). What Peter means is that the larger the codebase the larger the amount of exp= loitable bugs. IPFire generally tries to minimise the attack surface by disab= ling features that are not being used. XDP cannot be disabled. There is not even a switch for it. So, that will alwa= ys be there. BPF cannot be disabled either as it is being enabled by default if the kernel= is being compiled with network support: https://git.ipfire.org/?p=3Dthirdparty/kernel/stable.git;a=3Dblob;f=3Dnet/K= config;hb=3Dba151416051a45ffca565f708584b9cd5c971481#l10 > Enabling this allows IPFire users to customize their packet filter > strategy, it opens up many > possibilities, for example there is bpfilter project to improve > iptables/nftables https://github.com/facebook/bpfilter. > It allows innovation and progress :) Not everything that is new is automatically innovation. >=20 >> No offense. >>=20 >> Thanks, and best regards, >> Peter M=C3=BCller >>=20 >>=20 >>> https://lists.ipfire.org/hyperkitty/list/development(a)lists.ipfire.org/= thread/S4GPL3OBFZ6LMA52JNLHIOPMNA5C3V6R/ >>>=20 >>> Signed-off-by: Michael Tremer >>> --- >>> config/kernel/kernel.config.aarch64-ipfire | 11 ++++++++++- >>> config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++- >>> config/kernel/kernel.config.x86_64-ipfire | 11 ++++++++++- >>> 3 files changed, 32 insertions(+), 3 deletions(-) >>>=20 >>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/k= ernel.config.aarch64-ipfire >>> index b85d7add9..3d8282ac6 100644 >>> --- a/config/kernel/kernel.config.aarch64-ipfire >>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>> @@ -93,9 +93,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=3Dy >>> # >>> # BPF subsystem >>> # >>> -# CONFIG_BPF_SYSCALL is not set >>> +CONFIG_BPF_SYSCALL=3Dy >>> CONFIG_BPF_JIT=3Dy >>> +CONFIG_BPF_JIT_ALWAYS_ON=3Dy >>> CONFIG_BPF_JIT_DEFAULT_ON=3Dy >>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=3Dy >>> +# CONFIG_BPF_PRELOAD is not set >>> # end of BPF subsystem >>>=20 >>> CONFIG_PREEMPT_BUILD=3Dy >>> @@ -136,6 +139,7 @@ CONFIG_TREE_SRCU=3Dy >>> CONFIG_TASKS_RCU_GENERIC=3Dy >>> CONFIG_TASKS_RCU=3Dy >>> CONFIG_TASKS_RUDE_RCU=3Dy >>> +CONFIG_TASKS_TRACE_RCU=3Dy >>> CONFIG_RCU_STALL_COMMON=3Dy >>> CONFIG_RCU_NEED_SEGCBLIST=3Dy >>> # end of RCU Subsystem >>> @@ -179,6 +183,7 @@ CONFIG_PROC_PID_CPUSET=3Dy >>> CONFIG_CGROUP_DEVICE=3Dy >>> CONFIG_CGROUP_CPUACCT=3Dy >>> CONFIG_CGROUP_PERF=3Dy >>> +# CONFIG_CGROUP_BPF is not set >>> # CONFIG_CGROUP_MISC is not set >>> # CONFIG_CGROUP_DEBUG is not set >>> CONFIG_SOCK_CGROUP_DATA=3Dy >>> @@ -1036,6 +1041,8 @@ CONFIG_XFRM_ESP=3Dm >>> CONFIG_XFRM_IPCOMP=3Dm >>> CONFIG_NET_KEY=3Dm >>> CONFIG_NET_KEY_MIGRATE=3Dy >>> +CONFIG_XDP_SOCKETS=3Dy >>> +CONFIG_XDP_SOCKETS_DIAG=3Dm >>> CONFIG_NET_HANDSHAKE=3Dy >>> CONFIG_INET=3Dy >>> CONFIG_IP_MULTICAST=3Dy >>> @@ -1144,6 +1151,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=3Dy >>> CONFIG_NETFILTER_NETLINK=3Dm >>> CONFIG_NETFILTER_FAMILY_BRIDGE=3Dy >>> CONFIG_NETFILTER_FAMILY_ARP=3Dy >>> +CONFIG_NETFILTER_BPF_LINK=3Dy >>> # CONFIG_NETFILTER_NETLINK_HOOK is not set >>> CONFIG_NETFILTER_NETLINK_ACCT=3Dm >>> CONFIG_NETFILTER_NETLINK_QUEUE=3Dm >>> @@ -6466,6 +6474,7 @@ CONFIG_HID_ZYDACRON=3Dm >>> # >>> # HID-BPF support >>> # >>> +# CONFIG_HID_BPF is not set >>> # end of HID-BPF support >>>=20 >>> # >>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/k= ernel.config.riscv64-ipfire >>> index 2bd39e7de..fd2172a25 100644 >>> --- a/config/kernel/kernel.config.riscv64-ipfire >>> +++ b/config/kernel/kernel.config.riscv64-ipfire >>> @@ -103,8 +103,13 @@ CONFIG_HAVE_EBPF_JIT=3Dy >>> # >>> # BPF subsystem >>> # >>> -# CONFIG_BPF_SYSCALL is not set >>> +CONFIG_BPF_SYSCALL=3Dy >>> CONFIG_BPF_JIT=3Dy >>> +CONFIG_BPF_JIT_ALWAYS_ON=3Dy >>> +CONFIG_BPF_JIT_DEFAULT_ON=3Dy >>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=3Dy >>> +# CONFIG_BPF_PRELOAD is not set >>> +# CONFIG_BPF_LSM is not set >>> # end of BPF subsystem >>>=20 >>> CONFIG_PREEMPT_VOLUNTARY_BUILD=3Dy >>> @@ -139,6 +144,7 @@ CONFIG_TREE_RCU=3Dy >>> CONFIG_TREE_SRCU=3Dy >>> CONFIG_TASKS_RCU_GENERIC=3Dy >>> CONFIG_TASKS_RUDE_RCU=3Dy >>> +CONFIG_TASKS_TRACE_RCU=3Dy >>> CONFIG_RCU_STALL_COMMON=3Dy >>> CONFIG_RCU_NEED_SEGCBLIST=3Dy >>> # end of RCU Subsystem >>> @@ -180,6 +186,7 @@ CONFIG_PROC_PID_CPUSET=3Dy >>> CONFIG_CGROUP_DEVICE=3Dy >>> CONFIG_CGROUP_CPUACCT=3Dy >>> CONFIG_CGROUP_PERF=3Dy >>> +# CONFIG_CGROUP_BPF is not set >>> # CONFIG_CGROUP_MISC is not set >>> # CONFIG_CGROUP_DEBUG is not set >>> CONFIG_SOCK_CGROUP_DATA=3Dy >>> @@ -826,6 +833,8 @@ CONFIG_XFRM_ESP=3Dm >>> CONFIG_XFRM_IPCOMP=3Dm >>> CONFIG_NET_KEY=3Dm >>> CONFIG_NET_KEY_MIGRATE=3Dy >>> +CONFIG_XDP_SOCKETS=3Dy >>> +CONFIG_XDP_SOCKETS_DIAG=3Dm >>> CONFIG_NET_HANDSHAKE=3Dy >>> CONFIG_INET=3Dy >>> CONFIG_IP_MULTICAST=3Dy >>> @@ -934,6 +943,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=3Dy >>> CONFIG_NETFILTER_NETLINK=3Dy >>> CONFIG_NETFILTER_FAMILY_BRIDGE=3Dy >>> CONFIG_NETFILTER_FAMILY_ARP=3Dy >>> +CONFIG_NETFILTER_BPF_LINK=3Dy >>> # CONFIG_NETFILTER_NETLINK_HOOK is not set >>> CONFIG_NETFILTER_NETLINK_ACCT=3Dm >>> CONFIG_NETFILTER_NETLINK_QUEUE=3Dm >>> @@ -7383,6 +7393,7 @@ CONFIG_BRANCH_PROFILE_NONE=3Dy >>> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set >>> # CONFIG_BLK_DEV_IO_TRACE is not set >>> CONFIG_UPROBE_EVENTS=3Dy >>> +CONFIG_BPF_EVENTS=3Dy >>> CONFIG_DYNAMIC_EVENTS=3Dy >>> CONFIG_PROBE_EVENTS=3Dy >>> CONFIG_FTRACE_MCOUNT_RECORD=3Dy >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/ke= rnel.config.x86_64-ipfire >>> index 8ce66cb4f..ec3bca2e7 100644 >>> --- a/config/kernel/kernel.config.x86_64-ipfire >>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>> @@ -113,9 +113,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=3Dy >>> # >>> # BPF subsystem >>> # >>> -# CONFIG_BPF_SYSCALL is not set >>> +CONFIG_BPF_SYSCALL=3Dy >>> CONFIG_BPF_JIT=3Dy >>> +CONFIG_BPF_JIT_ALWAYS_ON=3Dy >>> CONFIG_BPF_JIT_DEFAULT_ON=3Dy >>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=3Dy >>> +# CONFIG_BPF_PRELOAD is not set >>> # end of BPF subsystem >>>=20 >>> CONFIG_PREEMPT_BUILD=3Dy >>> @@ -156,6 +159,7 @@ CONFIG_TREE_SRCU=3Dy >>> CONFIG_TASKS_RCU_GENERIC=3Dy >>> CONFIG_TASKS_RCU=3Dy >>> CONFIG_TASKS_RUDE_RCU=3Dy >>> +CONFIG_TASKS_TRACE_RCU=3Dy >>> CONFIG_RCU_STALL_COMMON=3Dy >>> CONFIG_RCU_NEED_SEGCBLIST=3Dy >>> # end of RCU Subsystem >>> @@ -199,6 +203,7 @@ CONFIG_PROC_PID_CPUSET=3Dy >>> CONFIG_CGROUP_DEVICE=3Dy >>> CONFIG_CGROUP_CPUACCT=3Dy >>> CONFIG_CGROUP_PERF=3Dy >>> +# CONFIG_CGROUP_BPF is not set >>> # CONFIG_CGROUP_MISC is not set >>> # CONFIG_CGROUP_DEBUG is not set >>> CONFIG_SOCK_CGROUP_DATA=3Dy >>> @@ -1099,6 +1104,8 @@ CONFIG_XFRM_ESP=3Dm >>> CONFIG_XFRM_IPCOMP=3Dm >>> CONFIG_NET_KEY=3Dm >>> CONFIG_NET_KEY_MIGRATE=3Dy >>> +CONFIG_XDP_SOCKETS=3Dy >>> +CONFIG_XDP_SOCKETS_DIAG=3Dm >>> CONFIG_NET_HANDSHAKE=3Dy >>> CONFIG_INET=3Dy >>> CONFIG_IP_MULTICAST=3Dy >>> @@ -1207,6 +1214,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=3Dy >>> CONFIG_NETFILTER_NETLINK=3Dy >>> CONFIG_NETFILTER_FAMILY_BRIDGE=3Dy >>> CONFIG_NETFILTER_FAMILY_ARP=3Dy >>> +CONFIG_NETFILTER_BPF_LINK=3Dy >>> # CONFIG_NETFILTER_NETLINK_HOOK is not set >>> CONFIG_NETFILTER_NETLINK_ACCT=3Dm >>> CONFIG_NETFILTER_NETLINK_QUEUE=3Dm >>> @@ -5861,6 +5869,7 @@ CONFIG_HID_SENSOR_HUB=3Dm >>> # >>> # HID-BPF support >>> # >>> +# CONFIG_HID_BPF is not set >>> # end of HID-BPF support >>>=20 >>> # --===============7445368556679565007==--