From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [RFC PATCH] kernel: Enable XDP
Date: Sun, 21 Apr 2024 21:04:00 +0000 [thread overview]
Message-ID: <712680e2-6e65-4ad2-99eb-4a3b0fe36e4d@ipfire.org> (raw)
In-Reply-To: <20240418210855.3318587-1-michael.tremer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 6981 bytes --]
Hello Michael,
thank you for working on this in particular and the SYNPROXY patchset.
If my understanding of the situation is correct, the changes this patch
proposes would only be necessary for Vincent Li's DDoS mitigation that
leverages XDP, which remains a custom setup IPFire otherwise does not
support (in terms of having it documented, supported by the web interface,
etc.).
Frankly, I still think that the misuse potential of having XDP enabled
outweighs the benefits of doing so, and I'd rather not see this attack
surface being opened by default on IPFire systems, "just" to permit one
single custom setup of which the exact nature and benefit still largely
remains unclear to me. Personally, I'd much rather see the SYNPROXY patchset
you submitted land in IPFire, be properly supported, and enabled by default.
No offense.
Thanks, and best regards,
Peter Müller
> https://lists.ipfire.org/hyperkitty/list/development(a)lists.ipfire.org/thread/S4GPL3OBFZ6LMA52JNLHIOPMNA5C3V6R/
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 11 ++++++++++-
> config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
> config/kernel/kernel.config.x86_64-ipfire | 11 ++++++++++-
> 3 files changed, 32 insertions(+), 3 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index b85d7add9..3d8282ac6 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -93,9 +93,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
> #
> # BPF subsystem
> #
> -# CONFIG_BPF_SYSCALL is not set
> +CONFIG_BPF_SYSCALL=y
> CONFIG_BPF_JIT=y
> +CONFIG_BPF_JIT_ALWAYS_ON=y
> CONFIG_BPF_JIT_DEFAULT_ON=y
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> +# CONFIG_BPF_PRELOAD is not set
> # end of BPF subsystem
>
> CONFIG_PREEMPT_BUILD=y
> @@ -136,6 +139,7 @@ CONFIG_TREE_SRCU=y
> CONFIG_TASKS_RCU_GENERIC=y
> CONFIG_TASKS_RCU=y
> CONFIG_TASKS_RUDE_RCU=y
> +CONFIG_TASKS_TRACE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -179,6 +183,7 @@ CONFIG_PROC_PID_CPUSET=y
> CONFIG_CGROUP_DEVICE=y
> CONFIG_CGROUP_CPUACCT=y
> CONFIG_CGROUP_PERF=y
> +# CONFIG_CGROUP_BPF is not set
> # CONFIG_CGROUP_MISC is not set
> # CONFIG_CGROUP_DEBUG is not set
> CONFIG_SOCK_CGROUP_DATA=y
> @@ -1036,6 +1041,8 @@ CONFIG_XFRM_ESP=m
> CONFIG_XFRM_IPCOMP=m
> CONFIG_NET_KEY=m
> CONFIG_NET_KEY_MIGRATE=y
> +CONFIG_XDP_SOCKETS=y
> +CONFIG_XDP_SOCKETS_DIAG=m
> CONFIG_NET_HANDSHAKE=y
> CONFIG_INET=y
> CONFIG_IP_MULTICAST=y
> @@ -1144,6 +1151,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
> CONFIG_NETFILTER_NETLINK=m
> CONFIG_NETFILTER_FAMILY_BRIDGE=y
> CONFIG_NETFILTER_FAMILY_ARP=y
> +CONFIG_NETFILTER_BPF_LINK=y
> # CONFIG_NETFILTER_NETLINK_HOOK is not set
> CONFIG_NETFILTER_NETLINK_ACCT=m
> CONFIG_NETFILTER_NETLINK_QUEUE=m
> @@ -6466,6 +6474,7 @@ CONFIG_HID_ZYDACRON=m
> #
> # HID-BPF support
> #
> +# CONFIG_HID_BPF is not set
> # end of HID-BPF support
>
> #
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index 2bd39e7de..fd2172a25 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -103,8 +103,13 @@ CONFIG_HAVE_EBPF_JIT=y
> #
> # BPF subsystem
> #
> -# CONFIG_BPF_SYSCALL is not set
> +CONFIG_BPF_SYSCALL=y
> CONFIG_BPF_JIT=y
> +CONFIG_BPF_JIT_ALWAYS_ON=y
> +CONFIG_BPF_JIT_DEFAULT_ON=y
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> +# CONFIG_BPF_PRELOAD is not set
> +# CONFIG_BPF_LSM is not set
> # end of BPF subsystem
>
> CONFIG_PREEMPT_VOLUNTARY_BUILD=y
> @@ -139,6 +144,7 @@ CONFIG_TREE_RCU=y
> CONFIG_TREE_SRCU=y
> CONFIG_TASKS_RCU_GENERIC=y
> CONFIG_TASKS_RUDE_RCU=y
> +CONFIG_TASKS_TRACE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -180,6 +186,7 @@ CONFIG_PROC_PID_CPUSET=y
> CONFIG_CGROUP_DEVICE=y
> CONFIG_CGROUP_CPUACCT=y
> CONFIG_CGROUP_PERF=y
> +# CONFIG_CGROUP_BPF is not set
> # CONFIG_CGROUP_MISC is not set
> # CONFIG_CGROUP_DEBUG is not set
> CONFIG_SOCK_CGROUP_DATA=y
> @@ -826,6 +833,8 @@ CONFIG_XFRM_ESP=m
> CONFIG_XFRM_IPCOMP=m
> CONFIG_NET_KEY=m
> CONFIG_NET_KEY_MIGRATE=y
> +CONFIG_XDP_SOCKETS=y
> +CONFIG_XDP_SOCKETS_DIAG=m
> CONFIG_NET_HANDSHAKE=y
> CONFIG_INET=y
> CONFIG_IP_MULTICAST=y
> @@ -934,6 +943,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
> CONFIG_NETFILTER_NETLINK=y
> CONFIG_NETFILTER_FAMILY_BRIDGE=y
> CONFIG_NETFILTER_FAMILY_ARP=y
> +CONFIG_NETFILTER_BPF_LINK=y
> # CONFIG_NETFILTER_NETLINK_HOOK is not set
> CONFIG_NETFILTER_NETLINK_ACCT=m
> CONFIG_NETFILTER_NETLINK_QUEUE=m
> @@ -7383,6 +7393,7 @@ CONFIG_BRANCH_PROFILE_NONE=y
> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> # CONFIG_BLK_DEV_IO_TRACE is not set
> CONFIG_UPROBE_EVENTS=y
> +CONFIG_BPF_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> CONFIG_FTRACE_MCOUNT_RECORD=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 8ce66cb4f..ec3bca2e7 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -113,9 +113,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
> #
> # BPF subsystem
> #
> -# CONFIG_BPF_SYSCALL is not set
> +CONFIG_BPF_SYSCALL=y
> CONFIG_BPF_JIT=y
> +CONFIG_BPF_JIT_ALWAYS_ON=y
> CONFIG_BPF_JIT_DEFAULT_ON=y
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> +# CONFIG_BPF_PRELOAD is not set
> # end of BPF subsystem
>
> CONFIG_PREEMPT_BUILD=y
> @@ -156,6 +159,7 @@ CONFIG_TREE_SRCU=y
> CONFIG_TASKS_RCU_GENERIC=y
> CONFIG_TASKS_RCU=y
> CONFIG_TASKS_RUDE_RCU=y
> +CONFIG_TASKS_TRACE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -199,6 +203,7 @@ CONFIG_PROC_PID_CPUSET=y
> CONFIG_CGROUP_DEVICE=y
> CONFIG_CGROUP_CPUACCT=y
> CONFIG_CGROUP_PERF=y
> +# CONFIG_CGROUP_BPF is not set
> # CONFIG_CGROUP_MISC is not set
> # CONFIG_CGROUP_DEBUG is not set
> CONFIG_SOCK_CGROUP_DATA=y
> @@ -1099,6 +1104,8 @@ CONFIG_XFRM_ESP=m
> CONFIG_XFRM_IPCOMP=m
> CONFIG_NET_KEY=m
> CONFIG_NET_KEY_MIGRATE=y
> +CONFIG_XDP_SOCKETS=y
> +CONFIG_XDP_SOCKETS_DIAG=m
> CONFIG_NET_HANDSHAKE=y
> CONFIG_INET=y
> CONFIG_IP_MULTICAST=y
> @@ -1207,6 +1214,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
> CONFIG_NETFILTER_NETLINK=y
> CONFIG_NETFILTER_FAMILY_BRIDGE=y
> CONFIG_NETFILTER_FAMILY_ARP=y
> +CONFIG_NETFILTER_BPF_LINK=y
> # CONFIG_NETFILTER_NETLINK_HOOK is not set
> CONFIG_NETFILTER_NETLINK_ACCT=m
> CONFIG_NETFILTER_NETLINK_QUEUE=m
> @@ -5861,6 +5869,7 @@ CONFIG_HID_SENSOR_HUB=m
> #
> # HID-BPF support
> #
> +# CONFIG_HID_BPF is not set
> # end of HID-BPF support
>
> #
next prev parent reply other threads:[~2024-04-21 21:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-18 21:08 Michael Tremer
2024-04-19 0:33 ` Vincent Li
2024-04-21 21:04 ` Peter Müller [this message]
2024-04-22 14:24 ` Vincent Li
2024-04-24 14:45 ` Michael Tremer
2024-04-24 18:27 ` Vincent Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=712680e2-6e65-4ad2-99eb-4a3b0fe36e4d@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox