From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vincent Li To: development@lists.ipfire.org Subject: Re: [RFC PATCH] kernel: Enable XDP Date: Wed, 24 Apr 2024 11:27:35 -0700 Message-ID: In-Reply-To: <4806B066-A8BE-4817-9D56-C317A3F4F2E0@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4043925832627766582==" List-Id: --===============4043925832627766582== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Wed, Apr 24, 2024 at 7:45=E2=80=AFAM Michael Tremer wrote: > > Hello, > > > On 22 Apr 2024, at 16:24, Vincent Li wrote: > > > > On Sun, Apr 21, 2024 at 2:04=E2=80=AFPM Peter M=C3=BCller wrote: > >> > >> Hello Michael, > >> > >> thank you for working on this in particular and the SYNPROXY patchset. > >> > >> If my understanding of the situation is correct, the changes this patch > >> proposes would only be necessary for Vincent Li's DDoS mitigation that > >> leverages XDP, which remains a custom setup IPFire otherwise does not > >> support (in terms of having it documented, supported by the web interfac= e, > >> etc.). > > XDP is not configurable in the kernel. It is always compiled in as it depen= ds on the driver whether it is being implemented. > > What Vincent is asking for is to enable the BPF syscall. > > >> Frankly, I still think that the misuse potential of having XDP enabled > >> outweighs the benefits of doing so, and I'd rather not see this attack > >> surface being opened by default on IPFire systems, "just" to permit one > >> single custom setup of which the exact nature and benefit still largely > >> remains unclear to me. Personally, I'd much rather see the SYNPROXY patc= hset > >> you submitted land in IPFire, be properly supported, and enabled by defa= ult. > > > > What attack interface XDP exposed? I guess you mean the eBPF feature > > enabled in general > > could expose attack interfaces. the kernel config I suggested as I > > researched, only enable > > XDP/TC network functionality, no tracing functionality ( which > > requires admin privilege even enabled). > > What Peter means is that the larger the codebase the larger the amount of e= xploitable bugs. IPFire generally tries to minimise the attack surface by dis= abling features that are not being used. > > XDP cannot be disabled. There is not even a switch for it. So, that will al= ways be there. > > BPF cannot be disabled either as it is being enabled by default if the kern= el is being compiled with network support: > > https://git.ipfire.org/?p=3Dthirdparty/kernel/stable.git;a=3Dblob;f=3Dnet= /Kconfig;hb=3Dba151416051a45ffca565f708584b9cd5c971481#l10 > > > Enabling this allows IPFire users to customize their packet filter > > strategy, it opens up many > > possibilities, for example there is bpfilter project to improve > > iptables/nftables https://github.com/facebook/bpfilter. > > It allows innovation and progress :) > > Not everything that is new is automatically innovation. > ok, point taken, just trying to be helpful here. If the community ever changes mind on XDP, I will be glad to help :) > > > >> No offense. > >> > >> Thanks, and best regards, > >> Peter M=C3=BCller > >> > >> > >>> https://lists.ipfire.org/hyperkitty/list/development(a)lists.ipfire.or= g/thread/S4GPL3OBFZ6LMA52JNLHIOPMNA5C3V6R/ > >>> > >>> Signed-off-by: Michael Tremer > >>> --- > >>> config/kernel/kernel.config.aarch64-ipfire | 11 ++++++++++- > >>> config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++- > >>> config/kernel/kernel.config.x86_64-ipfire | 11 ++++++++++- > >>> 3 files changed, 32 insertions(+), 3 deletions(-) > >>> > >>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel= /kernel.config.aarch64-ipfire > >>> index b85d7add9..3d8282ac6 100644 > >>> --- a/config/kernel/kernel.config.aarch64-ipfire > >>> +++ b/config/kernel/kernel.config.aarch64-ipfire > >>> @@ -93,9 +93,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=3Dy > >>> # > >>> # BPF subsystem > >>> # > >>> -# CONFIG_BPF_SYSCALL is not set > >>> +CONFIG_BPF_SYSCALL=3Dy > >>> CONFIG_BPF_JIT=3Dy > >>> +CONFIG_BPF_JIT_ALWAYS_ON=3Dy > >>> CONFIG_BPF_JIT_DEFAULT_ON=3Dy > >>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=3Dy > >>> +# CONFIG_BPF_PRELOAD is not set > >>> # end of BPF subsystem > >>> > >>> CONFIG_PREEMPT_BUILD=3Dy > >>> @@ -136,6 +139,7 @@ CONFIG_TREE_SRCU=3Dy > >>> CONFIG_TASKS_RCU_GENERIC=3Dy > >>> CONFIG_TASKS_RCU=3Dy > >>> CONFIG_TASKS_RUDE_RCU=3Dy > >>> +CONFIG_TASKS_TRACE_RCU=3Dy > >>> CONFIG_RCU_STALL_COMMON=3Dy > >>> CONFIG_RCU_NEED_SEGCBLIST=3Dy > >>> # end of RCU Subsystem > >>> @@ -179,6 +183,7 @@ CONFIG_PROC_PID_CPUSET=3Dy > >>> CONFIG_CGROUP_DEVICE=3Dy > >>> CONFIG_CGROUP_CPUACCT=3Dy > >>> CONFIG_CGROUP_PERF=3Dy > >>> +# CONFIG_CGROUP_BPF is not set > >>> # CONFIG_CGROUP_MISC is not set > >>> # CONFIG_CGROUP_DEBUG is not set > >>> CONFIG_SOCK_CGROUP_DATA=3Dy > >>> @@ -1036,6 +1041,8 @@ CONFIG_XFRM_ESP=3Dm > >>> CONFIG_XFRM_IPCOMP=3Dm > >>> CONFIG_NET_KEY=3Dm > >>> CONFIG_NET_KEY_MIGRATE=3Dy > >>> +CONFIG_XDP_SOCKETS=3Dy > >>> +CONFIG_XDP_SOCKETS_DIAG=3Dm > >>> CONFIG_NET_HANDSHAKE=3Dy > >>> CONFIG_INET=3Dy > >>> CONFIG_IP_MULTICAST=3Dy > >>> @@ -1144,6 +1151,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=3Dy > >>> CONFIG_NETFILTER_NETLINK=3Dm > >>> CONFIG_NETFILTER_FAMILY_BRIDGE=3Dy > >>> CONFIG_NETFILTER_FAMILY_ARP=3Dy > >>> +CONFIG_NETFILTER_BPF_LINK=3Dy > >>> # CONFIG_NETFILTER_NETLINK_HOOK is not set > >>> CONFIG_NETFILTER_NETLINK_ACCT=3Dm > >>> CONFIG_NETFILTER_NETLINK_QUEUE=3Dm > >>> @@ -6466,6 +6474,7 @@ CONFIG_HID_ZYDACRON=3Dm > >>> # > >>> # HID-BPF support > >>> # > >>> +# CONFIG_HID_BPF is not set > >>> # end of HID-BPF support > >>> > >>> # > >>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel= /kernel.config.riscv64-ipfire > >>> index 2bd39e7de..fd2172a25 100644 > >>> --- a/config/kernel/kernel.config.riscv64-ipfire > >>> +++ b/config/kernel/kernel.config.riscv64-ipfire > >>> @@ -103,8 +103,13 @@ CONFIG_HAVE_EBPF_JIT=3Dy > >>> # > >>> # BPF subsystem > >>> # > >>> -# CONFIG_BPF_SYSCALL is not set > >>> +CONFIG_BPF_SYSCALL=3Dy > >>> CONFIG_BPF_JIT=3Dy > >>> +CONFIG_BPF_JIT_ALWAYS_ON=3Dy > >>> +CONFIG_BPF_JIT_DEFAULT_ON=3Dy > >>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=3Dy > >>> +# CONFIG_BPF_PRELOAD is not set > >>> +# CONFIG_BPF_LSM is not set > >>> # end of BPF subsystem > >>> > >>> CONFIG_PREEMPT_VOLUNTARY_BUILD=3Dy > >>> @@ -139,6 +144,7 @@ CONFIG_TREE_RCU=3Dy > >>> CONFIG_TREE_SRCU=3Dy > >>> CONFIG_TASKS_RCU_GENERIC=3Dy > >>> CONFIG_TASKS_RUDE_RCU=3Dy > >>> +CONFIG_TASKS_TRACE_RCU=3Dy > >>> CONFIG_RCU_STALL_COMMON=3Dy > >>> CONFIG_RCU_NEED_SEGCBLIST=3Dy > >>> # end of RCU Subsystem > >>> @@ -180,6 +186,7 @@ CONFIG_PROC_PID_CPUSET=3Dy > >>> CONFIG_CGROUP_DEVICE=3Dy > >>> CONFIG_CGROUP_CPUACCT=3Dy > >>> CONFIG_CGROUP_PERF=3Dy > >>> +# CONFIG_CGROUP_BPF is not set > >>> # CONFIG_CGROUP_MISC is not set > >>> # CONFIG_CGROUP_DEBUG is not set > >>> CONFIG_SOCK_CGROUP_DATA=3Dy > >>> @@ -826,6 +833,8 @@ CONFIG_XFRM_ESP=3Dm > >>> CONFIG_XFRM_IPCOMP=3Dm > >>> CONFIG_NET_KEY=3Dm > >>> CONFIG_NET_KEY_MIGRATE=3Dy > >>> +CONFIG_XDP_SOCKETS=3Dy > >>> +CONFIG_XDP_SOCKETS_DIAG=3Dm > >>> CONFIG_NET_HANDSHAKE=3Dy > >>> CONFIG_INET=3Dy > >>> CONFIG_IP_MULTICAST=3Dy > >>> @@ -934,6 +943,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=3Dy > >>> CONFIG_NETFILTER_NETLINK=3Dy > >>> CONFIG_NETFILTER_FAMILY_BRIDGE=3Dy > >>> CONFIG_NETFILTER_FAMILY_ARP=3Dy > >>> +CONFIG_NETFILTER_BPF_LINK=3Dy > >>> # CONFIG_NETFILTER_NETLINK_HOOK is not set > >>> CONFIG_NETFILTER_NETLINK_ACCT=3Dm > >>> CONFIG_NETFILTER_NETLINK_QUEUE=3Dm > >>> @@ -7383,6 +7393,7 @@ CONFIG_BRANCH_PROFILE_NONE=3Dy > >>> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set > >>> # CONFIG_BLK_DEV_IO_TRACE is not set > >>> CONFIG_UPROBE_EVENTS=3Dy > >>> +CONFIG_BPF_EVENTS=3Dy > >>> CONFIG_DYNAMIC_EVENTS=3Dy > >>> CONFIG_PROBE_EVENTS=3Dy > >>> CONFIG_FTRACE_MCOUNT_RECORD=3Dy > >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/= kernel.config.x86_64-ipfire > >>> index 8ce66cb4f..ec3bca2e7 100644 > >>> --- a/config/kernel/kernel.config.x86_64-ipfire > >>> +++ b/config/kernel/kernel.config.x86_64-ipfire > >>> @@ -113,9 +113,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=3Dy > >>> # > >>> # BPF subsystem > >>> # > >>> -# CONFIG_BPF_SYSCALL is not set > >>> +CONFIG_BPF_SYSCALL=3Dy > >>> CONFIG_BPF_JIT=3Dy > >>> +CONFIG_BPF_JIT_ALWAYS_ON=3Dy > >>> CONFIG_BPF_JIT_DEFAULT_ON=3Dy > >>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=3Dy > >>> +# CONFIG_BPF_PRELOAD is not set > >>> # end of BPF subsystem > >>> > >>> CONFIG_PREEMPT_BUILD=3Dy > >>> @@ -156,6 +159,7 @@ CONFIG_TREE_SRCU=3Dy > >>> CONFIG_TASKS_RCU_GENERIC=3Dy > >>> CONFIG_TASKS_RCU=3Dy > >>> CONFIG_TASKS_RUDE_RCU=3Dy > >>> +CONFIG_TASKS_TRACE_RCU=3Dy > >>> CONFIG_RCU_STALL_COMMON=3Dy > >>> CONFIG_RCU_NEED_SEGCBLIST=3Dy > >>> # end of RCU Subsystem > >>> @@ -199,6 +203,7 @@ CONFIG_PROC_PID_CPUSET=3Dy > >>> CONFIG_CGROUP_DEVICE=3Dy > >>> CONFIG_CGROUP_CPUACCT=3Dy > >>> CONFIG_CGROUP_PERF=3Dy > >>> +# CONFIG_CGROUP_BPF is not set > >>> # CONFIG_CGROUP_MISC is not set > >>> # CONFIG_CGROUP_DEBUG is not set > >>> CONFIG_SOCK_CGROUP_DATA=3Dy > >>> @@ -1099,6 +1104,8 @@ CONFIG_XFRM_ESP=3Dm > >>> CONFIG_XFRM_IPCOMP=3Dm > >>> CONFIG_NET_KEY=3Dm > >>> CONFIG_NET_KEY_MIGRATE=3Dy > >>> +CONFIG_XDP_SOCKETS=3Dy > >>> +CONFIG_XDP_SOCKETS_DIAG=3Dm > >>> CONFIG_NET_HANDSHAKE=3Dy > >>> CONFIG_INET=3Dy > >>> CONFIG_IP_MULTICAST=3Dy > >>> @@ -1207,6 +1214,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=3Dy > >>> CONFIG_NETFILTER_NETLINK=3Dy > >>> CONFIG_NETFILTER_FAMILY_BRIDGE=3Dy > >>> CONFIG_NETFILTER_FAMILY_ARP=3Dy > >>> +CONFIG_NETFILTER_BPF_LINK=3Dy > >>> # CONFIG_NETFILTER_NETLINK_HOOK is not set > >>> CONFIG_NETFILTER_NETLINK_ACCT=3Dm > >>> CONFIG_NETFILTER_NETLINK_QUEUE=3Dm > >>> @@ -5861,6 +5869,7 @@ CONFIG_HID_SENSOR_HUB=3Dm > >>> # > >>> # HID-BPF support > >>> # > >>> +# CONFIG_HID_BPF is not set > >>> # end of HID-BPF support > >>> > >>> # > > --===============4043925832627766582==--