On Sun, Apr 21, 2024 at 2:04 PM Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thank you for working on this in particular and the SYNPROXY patchset.
If my understanding of the situation is correct, the changes this patch proposes would only be necessary for Vincent Li's DDoS mitigation that leverages XDP, which remains a custom setup IPFire otherwise does not support (in terms of having it documented, supported by the web interface, etc.).
Frankly, I still think that the misuse potential of having XDP enabled outweighs the benefits of doing so, and I'd rather not see this attack surface being opened by default on IPFire systems, "just" to permit one single custom setup of which the exact nature and benefit still largely remains unclear to me. Personally, I'd much rather see the SYNPROXY patchset you submitted land in IPFire, be properly supported, and enabled by default.
What attack interface XDP exposed? I guess you mean the eBPF feature enabled in general could expose attack interfaces. the kernel config I suggested as I researched, only enable XDP/TC network functionality, no tracing functionality ( which requires admin privilege even enabled).
Enabling this allows IPFire users to customize their packet filter strategy, it opens up many possibilities, for example there is bpfilter project to improve iptables/nftables https://github.com/facebook/bpfilter. It allows innovation and progress :)
No offense.
Thanks, and best regards, Peter Müller
https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread...
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 11 ++++++++++- config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++- config/kernel/kernel.config.x86_64-ipfire | 11 ++++++++++- 3 files changed, 32 insertions(+), 3 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index b85d7add9..3d8282ac6 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -93,9 +93,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # # BPF subsystem # -# CONFIG_BPF_SYSCALL is not set +CONFIG_BPF_SYSCALL=y CONFIG_BPF_JIT=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y +# CONFIG_BPF_PRELOAD is not set # end of BPF subsystem
CONFIG_PREEMPT_BUILD=y @@ -136,6 +139,7 @@ CONFIG_TREE_SRCU=y CONFIG_TASKS_RCU_GENERIC=y CONFIG_TASKS_RCU=y CONFIG_TASKS_RUDE_RCU=y +CONFIG_TASKS_TRACE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -179,6 +183,7 @@ CONFIG_PROC_PID_CPUSET=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_BPF is not set # CONFIG_CGROUP_MISC is not set # CONFIG_CGROUP_DEBUG is not set CONFIG_SOCK_CGROUP_DATA=y @@ -1036,6 +1041,8 @@ CONFIG_XFRM_ESP=m CONFIG_XFRM_IPCOMP=m CONFIG_NET_KEY=m CONFIG_NET_KEY_MIGRATE=y +CONFIG_XDP_SOCKETS=y +CONFIG_XDP_SOCKETS_DIAG=m CONFIG_NET_HANDSHAKE=y CONFIG_INET=y CONFIG_IP_MULTICAST=y @@ -1144,6 +1151,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_FAMILY_BRIDGE=y CONFIG_NETFILTER_FAMILY_ARP=y +CONFIG_NETFILTER_BPF_LINK=y # CONFIG_NETFILTER_NETLINK_HOOK is not set CONFIG_NETFILTER_NETLINK_ACCT=m CONFIG_NETFILTER_NETLINK_QUEUE=m @@ -6466,6 +6474,7 @@ CONFIG_HID_ZYDACRON=m # # HID-BPF support # +# CONFIG_HID_BPF is not set # end of HID-BPF support
# diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2bd39e7de..fd2172a25 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -103,8 +103,13 @@ CONFIG_HAVE_EBPF_JIT=y # # BPF subsystem # -# CONFIG_BPF_SYSCALL is not set +CONFIG_BPF_SYSCALL=y CONFIG_BPF_JIT=y +CONFIG_BPF_JIT_ALWAYS_ON=y +CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y +# CONFIG_BPF_PRELOAD is not set +# CONFIG_BPF_LSM is not set # end of BPF subsystem
CONFIG_PREEMPT_VOLUNTARY_BUILD=y @@ -139,6 +144,7 @@ CONFIG_TREE_RCU=y CONFIG_TREE_SRCU=y CONFIG_TASKS_RCU_GENERIC=y CONFIG_TASKS_RUDE_RCU=y +CONFIG_TASKS_TRACE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -180,6 +186,7 @@ CONFIG_PROC_PID_CPUSET=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_BPF is not set # CONFIG_CGROUP_MISC is not set # CONFIG_CGROUP_DEBUG is not set CONFIG_SOCK_CGROUP_DATA=y @@ -826,6 +833,8 @@ CONFIG_XFRM_ESP=m CONFIG_XFRM_IPCOMP=m CONFIG_NET_KEY=m CONFIG_NET_KEY_MIGRATE=y +CONFIG_XDP_SOCKETS=y +CONFIG_XDP_SOCKETS_DIAG=m CONFIG_NET_HANDSHAKE=y CONFIG_INET=y CONFIG_IP_MULTICAST=y @@ -934,6 +943,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y CONFIG_NETFILTER_NETLINK=y CONFIG_NETFILTER_FAMILY_BRIDGE=y CONFIG_NETFILTER_FAMILY_ARP=y +CONFIG_NETFILTER_BPF_LINK=y # CONFIG_NETFILTER_NETLINK_HOOK is not set CONFIG_NETFILTER_NETLINK_ACCT=m CONFIG_NETFILTER_NETLINK_QUEUE=m @@ -7383,6 +7393,7 @@ CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set # CONFIG_BLK_DEV_IO_TRACE is not set CONFIG_UPROBE_EVENTS=y +CONFIG_BPF_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y CONFIG_FTRACE_MCOUNT_RECORD=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 8ce66cb4f..ec3bca2e7 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -113,9 +113,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # # BPF subsystem # -# CONFIG_BPF_SYSCALL is not set +CONFIG_BPF_SYSCALL=y CONFIG_BPF_JIT=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y +# CONFIG_BPF_PRELOAD is not set # end of BPF subsystem
CONFIG_PREEMPT_BUILD=y @@ -156,6 +159,7 @@ CONFIG_TREE_SRCU=y CONFIG_TASKS_RCU_GENERIC=y CONFIG_TASKS_RCU=y CONFIG_TASKS_RUDE_RCU=y +CONFIG_TASKS_TRACE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -199,6 +203,7 @@ CONFIG_PROC_PID_CPUSET=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_BPF is not set # CONFIG_CGROUP_MISC is not set # CONFIG_CGROUP_DEBUG is not set CONFIG_SOCK_CGROUP_DATA=y @@ -1099,6 +1104,8 @@ CONFIG_XFRM_ESP=m CONFIG_XFRM_IPCOMP=m CONFIG_NET_KEY=m CONFIG_NET_KEY_MIGRATE=y +CONFIG_XDP_SOCKETS=y +CONFIG_XDP_SOCKETS_DIAG=m CONFIG_NET_HANDSHAKE=y CONFIG_INET=y CONFIG_IP_MULTICAST=y @@ -1207,6 +1214,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y CONFIG_NETFILTER_NETLINK=y CONFIG_NETFILTER_FAMILY_BRIDGE=y CONFIG_NETFILTER_FAMILY_ARP=y +CONFIG_NETFILTER_BPF_LINK=y # CONFIG_NETFILTER_NETLINK_HOOK is not set CONFIG_NETFILTER_NETLINK_ACCT=m CONFIG_NETFILTER_NETLINK_QUEUE=m @@ -5861,6 +5869,7 @@ CONFIG_HID_SENSOR_HUB=m # # HID-BPF support # +# CONFIG_HID_BPF is not set # end of HID-BPF support
#