Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2018-01-04 Thread Willem de Bruijn
On Thu, Jan 4, 2018 at 8:28 AM, Jason Wang wrote: > > > On 2018年01月02日 17:19, Willem de Bruijn wrote: More importantly, should this program just return a boolean pass or drop. Taking a length and trimming may introduce bugs later on if the stack parses the

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2018-01-04 Thread Willem de Bruijn
On Thu, Jan 4, 2018 at 8:28 AM, Jason Wang wrote: > > > On 2018年01月02日 17:19, Willem de Bruijn wrote: More importantly, should this program just return a boolean pass or drop. Taking a length and trimming may introduce bugs later on if the stack parses the packet

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2018-01-03 Thread Jason Wang
On 2018年01月02日 17:19, Willem de Bruijn wrote: More importantly, should this program just return a boolean pass or drop. Taking a length and trimming may introduce bugs later on if the stack parses the packet unconditionally, expecting a minimum size to be present. This was the reason for

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2018-01-03 Thread Jason Wang
On 2018年01月02日 17:19, Willem de Bruijn wrote: More importantly, should this program just return a boolean pass or drop. Taking a length and trimming may introduce bugs later on if the stack parses the packet unconditionally, expecting a minimum size to be present. This was the reason for

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2018-01-02 Thread Jason Wang
On 2018年01月02日 17:19, Willem de Bruijn wrote: More importantly, should this program just return a boolean pass or drop. Taking a length and trimming may introduce bugs later on if the stack parses the packet unconditionally, expecting a minimum size to be present. This was the reason for

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2018-01-02 Thread Jason Wang
On 2018年01月02日 17:19, Willem de Bruijn wrote: More importantly, should this program just return a boolean pass or drop. Taking a length and trimming may introduce bugs later on if the stack parses the packet unconditionally, expecting a minimum size to be present. This was the reason for

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2018-01-02 Thread Willem de Bruijn
>>> /* Net device start xmit */ >>> static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device >>> *dev) >>> { >>> struct tun_struct *tun = netdev_priv(dev); >>> int txq = skb->queue_mapping; >>> struct tun_file *tfile; >>> + int len = skb->len;

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2018-01-02 Thread Willem de Bruijn
>>> /* Net device start xmit */ >>> static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device >>> *dev) >>> { >>> struct tun_struct *tun = netdev_priv(dev); >>> int txq = skb->queue_mapping; >>> struct tun_file *tfile; >>> + int len = skb->len;

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2018-01-01 Thread Jason Wang
On 2017年12月31日 18:14, Willem de Bruijn wrote: On Fri, Dec 29, 2017 at 3:44 AM, Jason Wang wrote: This patch allows userspace to attach eBPF filter to tun. This will allow to implement VM dataplane filtering in a more efficient way compared to cBPF filter. Is the idea to

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2018-01-01 Thread Jason Wang
On 2017年12月31日 18:14, Willem de Bruijn wrote: On Fri, Dec 29, 2017 at 3:44 AM, Jason Wang wrote: This patch allows userspace to attach eBPF filter to tun. This will allow to implement VM dataplane filtering in a more efficient way compared to cBPF filter. Is the idea to allow the trusted

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2017-12-31 Thread Willem de Bruijn
On Fri, Dec 29, 2017 at 3:44 AM, Jason Wang wrote: > This patch allows userspace to attach eBPF filter to tun. This will > allow to implement VM dataplane filtering in a more efficient way > compared to cBPF filter. Is the idea to allow the trusted hypervisor to install

Re: [PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2017-12-31 Thread Willem de Bruijn
On Fri, Dec 29, 2017 at 3:44 AM, Jason Wang wrote: > This patch allows userspace to attach eBPF filter to tun. This will > allow to implement VM dataplane filtering in a more efficient way > compared to cBPF filter. Is the idea to allow the trusted hypervisor to install these programs, or the

[PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2017-12-28 Thread Jason Wang
This patch allows userspace to attach eBPF filter to tun. This will allow to implement VM dataplane filtering in a more efficient way compared to cBPF filter. Signed-off-by: Jason Wang --- drivers/net/tun.c | 26 ++

[PATCH net-next 2/2] tun: allow to attach ebpf socket filter

2017-12-28 Thread Jason Wang
This patch allows userspace to attach eBPF filter to tun. This will allow to implement VM dataplane filtering in a more efficient way compared to cBPF filter. Signed-off-by: Jason Wang --- drivers/net/tun.c | 26 ++ include/uapi/linux/if_tun.h | 1 + 2 files