diff mbox series

[RFC] kernel: Enable XDP

Message ID	20240418210855.3318587-1-michael.tremer@ipfire.org
State	New
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [RFC PATCH] kernel: Enable XDP Date: Thu, 18 Apr 2024 21:08:55 +0000 Message-Id: <20240418210855.3318587-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: QYG5SEVSEK53KKW3KAGTPQBC4S654BQW CC: Michael Tremer <michael.tremer@ipfire.org> Precedence: list Archived-At: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/QYG5SEVSEK53KKW3KAGTPQBC4S654BQW/>
Series	[RFC] kernel: Enable XDP \| [RFC] kernel: Enable XDP

Commit Message

Michael Tremer April 18, 2024, 9:08 p.m. UTC

  https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/S4GPL3OBFZ6LMA52JNLHIOPMNA5C3V6R/

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 11 ++++++++++-
 config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
 config/kernel/kernel.config.x86_64-ipfire  | 11 ++++++++++-
 3 files changed, 32 insertions(+), 3 deletions(-)

Comments

Vincent Li April 19, 2024, 12:33 a.m. UTC | #1

On Thu, Apr 18, 2024 at 2:09 PM Michael Tremer
<michael.tremer@ipfire.org> wrote:
>
>   https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/S4GPL3OBFZ6LMA52JNLHIOPMNA5C3V6R/
>
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>  config/kernel/kernel.config.aarch64-ipfire | 11 ++++++++++-
>  config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
>  config/kernel/kernel.config.x86_64-ipfire  | 11 ++++++++++-
>  3 files changed, 32 insertions(+), 3 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index b85d7add9..3d8282ac6 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -93,9 +93,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
>  #
>  # BPF subsystem
>  #
> -# CONFIG_BPF_SYSCALL is not set
> +CONFIG_BPF_SYSCALL=y
>  CONFIG_BPF_JIT=y
> +CONFIG_BPF_JIT_ALWAYS_ON=y
>  CONFIG_BPF_JIT_DEFAULT_ON=y
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> +# CONFIG_BPF_PRELOAD is not set
>  # end of BPF subsystem
>
>  CONFIG_PREEMPT_BUILD=y
> @@ -136,6 +139,7 @@ CONFIG_TREE_SRCU=y
>  CONFIG_TASKS_RCU_GENERIC=y
>  CONFIG_TASKS_RCU=y
>  CONFIG_TASKS_RUDE_RCU=y
> +CONFIG_TASKS_TRACE_RCU=y
>  CONFIG_RCU_STALL_COMMON=y
>  CONFIG_RCU_NEED_SEGCBLIST=y
>  # end of RCU Subsystem
> @@ -179,6 +183,7 @@ CONFIG_PROC_PID_CPUSET=y
>  CONFIG_CGROUP_DEVICE=y
>  CONFIG_CGROUP_CPUACCT=y
>  CONFIG_CGROUP_PERF=y
> +# CONFIG_CGROUP_BPF is not set
>  # CONFIG_CGROUP_MISC is not set
>  # CONFIG_CGROUP_DEBUG is not set
>  CONFIG_SOCK_CGROUP_DATA=y
> @@ -1036,6 +1041,8 @@ CONFIG_XFRM_ESP=m
>  CONFIG_XFRM_IPCOMP=m
>  CONFIG_NET_KEY=m
>  CONFIG_NET_KEY_MIGRATE=y
> +CONFIG_XDP_SOCKETS=y
> +CONFIG_XDP_SOCKETS_DIAG=m
>  CONFIG_NET_HANDSHAKE=y
>  CONFIG_INET=y
>  CONFIG_IP_MULTICAST=y
> @@ -1144,6 +1151,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
>  CONFIG_NETFILTER_NETLINK=m
>  CONFIG_NETFILTER_FAMILY_BRIDGE=y
>  CONFIG_NETFILTER_FAMILY_ARP=y
> +CONFIG_NETFILTER_BPF_LINK=y
>  # CONFIG_NETFILTER_NETLINK_HOOK is not set
>  CONFIG_NETFILTER_NETLINK_ACCT=m
>  CONFIG_NETFILTER_NETLINK_QUEUE=m
> @@ -6466,6 +6474,7 @@ CONFIG_HID_ZYDACRON=m
>  #
>  # HID-BPF support
>  #
> +# CONFIG_HID_BPF is not set
>  # end of HID-BPF support
>
>  #
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index 2bd39e7de..fd2172a25 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -103,8 +103,13 @@ CONFIG_HAVE_EBPF_JIT=y
>  #
>  # BPF subsystem
>  #
> -# CONFIG_BPF_SYSCALL is not set
> +CONFIG_BPF_SYSCALL=y
>  CONFIG_BPF_JIT=y
> +CONFIG_BPF_JIT_ALWAYS_ON=y
> +CONFIG_BPF_JIT_DEFAULT_ON=y
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> +# CONFIG_BPF_PRELOAD is not set
> +# CONFIG_BPF_LSM is not set
>  # end of BPF subsystem
>
>  CONFIG_PREEMPT_VOLUNTARY_BUILD=y
> @@ -139,6 +144,7 @@ CONFIG_TREE_RCU=y
>  CONFIG_TREE_SRCU=y
>  CONFIG_TASKS_RCU_GENERIC=y
>  CONFIG_TASKS_RUDE_RCU=y
> +CONFIG_TASKS_TRACE_RCU=y
>  CONFIG_RCU_STALL_COMMON=y
>  CONFIG_RCU_NEED_SEGCBLIST=y
>  # end of RCU Subsystem
> @@ -180,6 +186,7 @@ CONFIG_PROC_PID_CPUSET=y
>  CONFIG_CGROUP_DEVICE=y
>  CONFIG_CGROUP_CPUACCT=y
>  CONFIG_CGROUP_PERF=y
> +# CONFIG_CGROUP_BPF is not set
>  # CONFIG_CGROUP_MISC is not set
>  # CONFIG_CGROUP_DEBUG is not set
>  CONFIG_SOCK_CGROUP_DATA=y
> @@ -826,6 +833,8 @@ CONFIG_XFRM_ESP=m
>  CONFIG_XFRM_IPCOMP=m
>  CONFIG_NET_KEY=m
>  CONFIG_NET_KEY_MIGRATE=y
> +CONFIG_XDP_SOCKETS=y
> +CONFIG_XDP_SOCKETS_DIAG=m
>  CONFIG_NET_HANDSHAKE=y
>  CONFIG_INET=y
>  CONFIG_IP_MULTICAST=y
> @@ -934,6 +943,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
>  CONFIG_NETFILTER_NETLINK=y
>  CONFIG_NETFILTER_FAMILY_BRIDGE=y
>  CONFIG_NETFILTER_FAMILY_ARP=y
> +CONFIG_NETFILTER_BPF_LINK=y
>  # CONFIG_NETFILTER_NETLINK_HOOK is not set
>  CONFIG_NETFILTER_NETLINK_ACCT=m
>  CONFIG_NETFILTER_NETLINK_QUEUE=m
> @@ -7383,6 +7393,7 @@ CONFIG_BRANCH_PROFILE_NONE=y
>  # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
>  # CONFIG_BLK_DEV_IO_TRACE is not set
>  CONFIG_UPROBE_EVENTS=y
> +CONFIG_BPF_EVENTS=y
>  CONFIG_DYNAMIC_EVENTS=y
>  CONFIG_PROBE_EVENTS=y
>  CONFIG_FTRACE_MCOUNT_RECORD=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 8ce66cb4f..ec3bca2e7 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -113,9 +113,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
>  #
>  # BPF subsystem
>  #
> -# CONFIG_BPF_SYSCALL is not set
> +CONFIG_BPF_SYSCALL=y
>  CONFIG_BPF_JIT=y
> +CONFIG_BPF_JIT_ALWAYS_ON=y
>  CONFIG_BPF_JIT_DEFAULT_ON=y
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> +# CONFIG_BPF_PRELOAD is not set
>  # end of BPF subsystem
>
>  CONFIG_PREEMPT_BUILD=y
> @@ -156,6 +159,7 @@ CONFIG_TREE_SRCU=y
>  CONFIG_TASKS_RCU_GENERIC=y
>  CONFIG_TASKS_RCU=y
>  CONFIG_TASKS_RUDE_RCU=y
> +CONFIG_TASKS_TRACE_RCU=y
>  CONFIG_RCU_STALL_COMMON=y
>  CONFIG_RCU_NEED_SEGCBLIST=y
>  # end of RCU Subsystem
> @@ -199,6 +203,7 @@ CONFIG_PROC_PID_CPUSET=y
>  CONFIG_CGROUP_DEVICE=y
>  CONFIG_CGROUP_CPUACCT=y
>  CONFIG_CGROUP_PERF=y
> +# CONFIG_CGROUP_BPF is not set
>  # CONFIG_CGROUP_MISC is not set
>  # CONFIG_CGROUP_DEBUG is not set
>  CONFIG_SOCK_CGROUP_DATA=y
> @@ -1099,6 +1104,8 @@ CONFIG_XFRM_ESP=m
>  CONFIG_XFRM_IPCOMP=m
>  CONFIG_NET_KEY=m
>  CONFIG_NET_KEY_MIGRATE=y
> +CONFIG_XDP_SOCKETS=y
> +CONFIG_XDP_SOCKETS_DIAG=m
>  CONFIG_NET_HANDSHAKE=y
>  CONFIG_INET=y
>  CONFIG_IP_MULTICAST=y
> @@ -1207,6 +1214,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
>  CONFIG_NETFILTER_NETLINK=y
>  CONFIG_NETFILTER_FAMILY_BRIDGE=y
>  CONFIG_NETFILTER_FAMILY_ARP=y
> +CONFIG_NETFILTER_BPF_LINK=y
>  # CONFIG_NETFILTER_NETLINK_HOOK is not set
>  CONFIG_NETFILTER_NETLINK_ACCT=m
>  CONFIG_NETFILTER_NETLINK_QUEUE=m
> @@ -5861,6 +5869,7 @@ CONFIG_HID_SENSOR_HUB=m
>  #
>  # HID-BPF support
>  #
> +# CONFIG_HID_BPF is not set
>  # end of HID-BPF support
>
>  #
> --
> 2.39.2
>

the debug symbol is required during build time for pahole utility to
generate BTF type info for kernel image
https://docs.kernel.org/bpf/btf.html,  the debug symbol can be
stripped after BTF type is generated, so the kernel image would not
contain debug symbols but with BTF type info, if kernel image missing
BTF type information, XDP program will fail to attach to the network
interface.

for image size, here is the discussion
https://lore.kernel.org/bpf/CAK3+h2ymkOmmGYHy1WOT5L+nbavM0sfRZ3LKZiMz-GAhcO1=WQ@mail.gmail.com/
and I found the way to strip the debug symbol but keep BTF type info

I can send a patch for comments, what do you think?

Vincent

Peter Müller April 21, 2024, 9:04 p.m. UTC | #2

Hello Michael,

thank you for working on this in particular and the SYNPROXY patchset.

If my understanding of the situation is correct, the changes this patch
proposes would only be necessary for Vincent Li's DDoS mitigation that
leverages XDP, which remains a custom setup IPFire otherwise does not
support (in terms of having it documented, supported by the web interface,
etc.).

Frankly, I still think that the misuse potential of having XDP enabled
outweighs the benefits of doing so, and I'd rather not see this attack
surface being opened by default on IPFire systems, "just" to permit one
single custom setup of which the exact nature and benefit still largely
remains unclear to me. Personally, I'd much rather see the SYNPROXY patchset
you submitted land in IPFire, be properly supported, and enabled by default.

No offense.

Thanks, and best regards,
Peter Müller


>   https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/S4GPL3OBFZ6LMA52JNLHIOPMNA5C3V6R/
> 
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>  config/kernel/kernel.config.aarch64-ipfire | 11 ++++++++++-
>  config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
>  config/kernel/kernel.config.x86_64-ipfire  | 11 ++++++++++-
>  3 files changed, 32 insertions(+), 3 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index b85d7add9..3d8282ac6 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -93,9 +93,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
>  #
>  # BPF subsystem
>  #
> -# CONFIG_BPF_SYSCALL is not set
> +CONFIG_BPF_SYSCALL=y
>  CONFIG_BPF_JIT=y
> +CONFIG_BPF_JIT_ALWAYS_ON=y
>  CONFIG_BPF_JIT_DEFAULT_ON=y
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> +# CONFIG_BPF_PRELOAD is not set
>  # end of BPF subsystem
>  
>  CONFIG_PREEMPT_BUILD=y
> @@ -136,6 +139,7 @@ CONFIG_TREE_SRCU=y
>  CONFIG_TASKS_RCU_GENERIC=y
>  CONFIG_TASKS_RCU=y
>  CONFIG_TASKS_RUDE_RCU=y
> +CONFIG_TASKS_TRACE_RCU=y
>  CONFIG_RCU_STALL_COMMON=y
>  CONFIG_RCU_NEED_SEGCBLIST=y
>  # end of RCU Subsystem
> @@ -179,6 +183,7 @@ CONFIG_PROC_PID_CPUSET=y
>  CONFIG_CGROUP_DEVICE=y
>  CONFIG_CGROUP_CPUACCT=y
>  CONFIG_CGROUP_PERF=y
> +# CONFIG_CGROUP_BPF is not set
>  # CONFIG_CGROUP_MISC is not set
>  # CONFIG_CGROUP_DEBUG is not set
>  CONFIG_SOCK_CGROUP_DATA=y
> @@ -1036,6 +1041,8 @@ CONFIG_XFRM_ESP=m
>  CONFIG_XFRM_IPCOMP=m
>  CONFIG_NET_KEY=m
>  CONFIG_NET_KEY_MIGRATE=y
> +CONFIG_XDP_SOCKETS=y
> +CONFIG_XDP_SOCKETS_DIAG=m
>  CONFIG_NET_HANDSHAKE=y
>  CONFIG_INET=y
>  CONFIG_IP_MULTICAST=y
> @@ -1144,6 +1151,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
>  CONFIG_NETFILTER_NETLINK=m
>  CONFIG_NETFILTER_FAMILY_BRIDGE=y
>  CONFIG_NETFILTER_FAMILY_ARP=y
> +CONFIG_NETFILTER_BPF_LINK=y
>  # CONFIG_NETFILTER_NETLINK_HOOK is not set
>  CONFIG_NETFILTER_NETLINK_ACCT=m
>  CONFIG_NETFILTER_NETLINK_QUEUE=m
> @@ -6466,6 +6474,7 @@ CONFIG_HID_ZYDACRON=m
>  #
>  # HID-BPF support
>  #
> +# CONFIG_HID_BPF is not set
>  # end of HID-BPF support
>  
>  #
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index 2bd39e7de..fd2172a25 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -103,8 +103,13 @@ CONFIG_HAVE_EBPF_JIT=y
>  #
>  # BPF subsystem
>  #
> -# CONFIG_BPF_SYSCALL is not set
> +CONFIG_BPF_SYSCALL=y
>  CONFIG_BPF_JIT=y
> +CONFIG_BPF_JIT_ALWAYS_ON=y
> +CONFIG_BPF_JIT_DEFAULT_ON=y
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> +# CONFIG_BPF_PRELOAD is not set
> +# CONFIG_BPF_LSM is not set
>  # end of BPF subsystem
>  
>  CONFIG_PREEMPT_VOLUNTARY_BUILD=y
> @@ -139,6 +144,7 @@ CONFIG_TREE_RCU=y
>  CONFIG_TREE_SRCU=y
>  CONFIG_TASKS_RCU_GENERIC=y
>  CONFIG_TASKS_RUDE_RCU=y
> +CONFIG_TASKS_TRACE_RCU=y
>  CONFIG_RCU_STALL_COMMON=y
>  CONFIG_RCU_NEED_SEGCBLIST=y
>  # end of RCU Subsystem
> @@ -180,6 +186,7 @@ CONFIG_PROC_PID_CPUSET=y
>  CONFIG_CGROUP_DEVICE=y
>  CONFIG_CGROUP_CPUACCT=y
>  CONFIG_CGROUP_PERF=y
> +# CONFIG_CGROUP_BPF is not set
>  # CONFIG_CGROUP_MISC is not set
>  # CONFIG_CGROUP_DEBUG is not set
>  CONFIG_SOCK_CGROUP_DATA=y
> @@ -826,6 +833,8 @@ CONFIG_XFRM_ESP=m
>  CONFIG_XFRM_IPCOMP=m
>  CONFIG_NET_KEY=m
>  CONFIG_NET_KEY_MIGRATE=y
> +CONFIG_XDP_SOCKETS=y
> +CONFIG_XDP_SOCKETS_DIAG=m
>  CONFIG_NET_HANDSHAKE=y
>  CONFIG_INET=y
>  CONFIG_IP_MULTICAST=y
> @@ -934,6 +943,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
>  CONFIG_NETFILTER_NETLINK=y
>  CONFIG_NETFILTER_FAMILY_BRIDGE=y
>  CONFIG_NETFILTER_FAMILY_ARP=y
> +CONFIG_NETFILTER_BPF_LINK=y
>  # CONFIG_NETFILTER_NETLINK_HOOK is not set
>  CONFIG_NETFILTER_NETLINK_ACCT=m
>  CONFIG_NETFILTER_NETLINK_QUEUE=m
> @@ -7383,6 +7393,7 @@ CONFIG_BRANCH_PROFILE_NONE=y
>  # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
>  # CONFIG_BLK_DEV_IO_TRACE is not set
>  CONFIG_UPROBE_EVENTS=y
> +CONFIG_BPF_EVENTS=y
>  CONFIG_DYNAMIC_EVENTS=y
>  CONFIG_PROBE_EVENTS=y
>  CONFIG_FTRACE_MCOUNT_RECORD=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 8ce66cb4f..ec3bca2e7 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -113,9 +113,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
>  #
>  # BPF subsystem
>  #
> -# CONFIG_BPF_SYSCALL is not set
> +CONFIG_BPF_SYSCALL=y
>  CONFIG_BPF_JIT=y
> +CONFIG_BPF_JIT_ALWAYS_ON=y
>  CONFIG_BPF_JIT_DEFAULT_ON=y
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> +# CONFIG_BPF_PRELOAD is not set
>  # end of BPF subsystem
>  
>  CONFIG_PREEMPT_BUILD=y
> @@ -156,6 +159,7 @@ CONFIG_TREE_SRCU=y
>  CONFIG_TASKS_RCU_GENERIC=y
>  CONFIG_TASKS_RCU=y
>  CONFIG_TASKS_RUDE_RCU=y
> +CONFIG_TASKS_TRACE_RCU=y
>  CONFIG_RCU_STALL_COMMON=y
>  CONFIG_RCU_NEED_SEGCBLIST=y
>  # end of RCU Subsystem
> @@ -199,6 +203,7 @@ CONFIG_PROC_PID_CPUSET=y
>  CONFIG_CGROUP_DEVICE=y
>  CONFIG_CGROUP_CPUACCT=y
>  CONFIG_CGROUP_PERF=y
> +# CONFIG_CGROUP_BPF is not set
>  # CONFIG_CGROUP_MISC is not set
>  # CONFIG_CGROUP_DEBUG is not set
>  CONFIG_SOCK_CGROUP_DATA=y
> @@ -1099,6 +1104,8 @@ CONFIG_XFRM_ESP=m
>  CONFIG_XFRM_IPCOMP=m
>  CONFIG_NET_KEY=m
>  CONFIG_NET_KEY_MIGRATE=y
> +CONFIG_XDP_SOCKETS=y
> +CONFIG_XDP_SOCKETS_DIAG=m
>  CONFIG_NET_HANDSHAKE=y
>  CONFIG_INET=y
>  CONFIG_IP_MULTICAST=y
> @@ -1207,6 +1214,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
>  CONFIG_NETFILTER_NETLINK=y
>  CONFIG_NETFILTER_FAMILY_BRIDGE=y
>  CONFIG_NETFILTER_FAMILY_ARP=y
> +CONFIG_NETFILTER_BPF_LINK=y
>  # CONFIG_NETFILTER_NETLINK_HOOK is not set
>  CONFIG_NETFILTER_NETLINK_ACCT=m
>  CONFIG_NETFILTER_NETLINK_QUEUE=m
> @@ -5861,6 +5869,7 @@ CONFIG_HID_SENSOR_HUB=m
>  #
>  # HID-BPF support
>  #
> +# CONFIG_HID_BPF is not set
>  # end of HID-BPF support
>  
>  #

Vincent Li April 22, 2024, 2:24 p.m. UTC | #3

On Sun, Apr 21, 2024 at 2:04 PM Peter Müller <peter.mueller@ipfire.org> wrote:
>
> Hello Michael,
>
> thank you for working on this in particular and the SYNPROXY patchset.
>
> If my understanding of the situation is correct, the changes this patch
> proposes would only be necessary for Vincent Li's DDoS mitigation that
> leverages XDP, which remains a custom setup IPFire otherwise does not
> support (in terms of having it documented, supported by the web interface,
> etc.).
>
> Frankly, I still think that the misuse potential of having XDP enabled
> outweighs the benefits of doing so, and I'd rather not see this attack
> surface being opened by default on IPFire systems, "just" to permit one
> single custom setup of which the exact nature and benefit still largely
> remains unclear to me. Personally, I'd much rather see the SYNPROXY patchset
> you submitted land in IPFire, be properly supported, and enabled by default.

What attack interface XDP exposed? I guess you mean the eBPF feature
enabled in general
could expose attack interfaces. the kernel config I suggested as I
researched, only enable
XDP/TC network functionality, no tracing functionality ( which
requires admin privilege even enabled).

Enabling this allows IPFire users to customize their packet filter
strategy, it opens up many
possibilities, for example there is bpfilter project to improve
iptables/nftables https://github.com/facebook/bpfilter.
It allows innovation and progress :)

> No offense.
>
> Thanks, and best regards,
> Peter Müller
>
>
> >   https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/S4GPL3OBFZ6LMA52JNLHIOPMNA5C3V6R/
> >
> > Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> > ---
> >  config/kernel/kernel.config.aarch64-ipfire | 11 ++++++++++-
> >  config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
> >  config/kernel/kernel.config.x86_64-ipfire  | 11 ++++++++++-
> >  3 files changed, 32 insertions(+), 3 deletions(-)
> >
> > diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> > index b85d7add9..3d8282ac6 100644
> > --- a/config/kernel/kernel.config.aarch64-ipfire
> > +++ b/config/kernel/kernel.config.aarch64-ipfire
> > @@ -93,9 +93,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
> >  #
> >  # BPF subsystem
> >  #
> > -# CONFIG_BPF_SYSCALL is not set
> > +CONFIG_BPF_SYSCALL=y
> >  CONFIG_BPF_JIT=y
> > +CONFIG_BPF_JIT_ALWAYS_ON=y
> >  CONFIG_BPF_JIT_DEFAULT_ON=y
> > +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> > +# CONFIG_BPF_PRELOAD is not set
> >  # end of BPF subsystem
> >
> >  CONFIG_PREEMPT_BUILD=y
> > @@ -136,6 +139,7 @@ CONFIG_TREE_SRCU=y
> >  CONFIG_TASKS_RCU_GENERIC=y
> >  CONFIG_TASKS_RCU=y
> >  CONFIG_TASKS_RUDE_RCU=y
> > +CONFIG_TASKS_TRACE_RCU=y
> >  CONFIG_RCU_STALL_COMMON=y
> >  CONFIG_RCU_NEED_SEGCBLIST=y
> >  # end of RCU Subsystem
> > @@ -179,6 +183,7 @@ CONFIG_PROC_PID_CPUSET=y
> >  CONFIG_CGROUP_DEVICE=y
> >  CONFIG_CGROUP_CPUACCT=y
> >  CONFIG_CGROUP_PERF=y
> > +# CONFIG_CGROUP_BPF is not set
> >  # CONFIG_CGROUP_MISC is not set
> >  # CONFIG_CGROUP_DEBUG is not set
> >  CONFIG_SOCK_CGROUP_DATA=y
> > @@ -1036,6 +1041,8 @@ CONFIG_XFRM_ESP=m
> >  CONFIG_XFRM_IPCOMP=m
> >  CONFIG_NET_KEY=m
> >  CONFIG_NET_KEY_MIGRATE=y
> > +CONFIG_XDP_SOCKETS=y
> > +CONFIG_XDP_SOCKETS_DIAG=m
> >  CONFIG_NET_HANDSHAKE=y
> >  CONFIG_INET=y
> >  CONFIG_IP_MULTICAST=y
> > @@ -1144,6 +1151,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
> >  CONFIG_NETFILTER_NETLINK=m
> >  CONFIG_NETFILTER_FAMILY_BRIDGE=y
> >  CONFIG_NETFILTER_FAMILY_ARP=y
> > +CONFIG_NETFILTER_BPF_LINK=y
> >  # CONFIG_NETFILTER_NETLINK_HOOK is not set
> >  CONFIG_NETFILTER_NETLINK_ACCT=m
> >  CONFIG_NETFILTER_NETLINK_QUEUE=m
> > @@ -6466,6 +6474,7 @@ CONFIG_HID_ZYDACRON=m
> >  #
> >  # HID-BPF support
> >  #
> > +# CONFIG_HID_BPF is not set
> >  # end of HID-BPF support
> >
> >  #
> > diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> > index 2bd39e7de..fd2172a25 100644
> > --- a/config/kernel/kernel.config.riscv64-ipfire
> > +++ b/config/kernel/kernel.config.riscv64-ipfire
> > @@ -103,8 +103,13 @@ CONFIG_HAVE_EBPF_JIT=y
> >  #
> >  # BPF subsystem
> >  #
> > -# CONFIG_BPF_SYSCALL is not set
> > +CONFIG_BPF_SYSCALL=y
> >  CONFIG_BPF_JIT=y
> > +CONFIG_BPF_JIT_ALWAYS_ON=y
> > +CONFIG_BPF_JIT_DEFAULT_ON=y
> > +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> > +# CONFIG_BPF_PRELOAD is not set
> > +# CONFIG_BPF_LSM is not set
> >  # end of BPF subsystem
> >
> >  CONFIG_PREEMPT_VOLUNTARY_BUILD=y
> > @@ -139,6 +144,7 @@ CONFIG_TREE_RCU=y
> >  CONFIG_TREE_SRCU=y
> >  CONFIG_TASKS_RCU_GENERIC=y
> >  CONFIG_TASKS_RUDE_RCU=y
> > +CONFIG_TASKS_TRACE_RCU=y
> >  CONFIG_RCU_STALL_COMMON=y
> >  CONFIG_RCU_NEED_SEGCBLIST=y
> >  # end of RCU Subsystem
> > @@ -180,6 +186,7 @@ CONFIG_PROC_PID_CPUSET=y
> >  CONFIG_CGROUP_DEVICE=y
> >  CONFIG_CGROUP_CPUACCT=y
> >  CONFIG_CGROUP_PERF=y
> > +# CONFIG_CGROUP_BPF is not set
> >  # CONFIG_CGROUP_MISC is not set
> >  # CONFIG_CGROUP_DEBUG is not set
> >  CONFIG_SOCK_CGROUP_DATA=y
> > @@ -826,6 +833,8 @@ CONFIG_XFRM_ESP=m
> >  CONFIG_XFRM_IPCOMP=m
> >  CONFIG_NET_KEY=m
> >  CONFIG_NET_KEY_MIGRATE=y
> > +CONFIG_XDP_SOCKETS=y
> > +CONFIG_XDP_SOCKETS_DIAG=m
> >  CONFIG_NET_HANDSHAKE=y
> >  CONFIG_INET=y
> >  CONFIG_IP_MULTICAST=y
> > @@ -934,6 +943,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
> >  CONFIG_NETFILTER_NETLINK=y
> >  CONFIG_NETFILTER_FAMILY_BRIDGE=y
> >  CONFIG_NETFILTER_FAMILY_ARP=y
> > +CONFIG_NETFILTER_BPF_LINK=y
> >  # CONFIG_NETFILTER_NETLINK_HOOK is not set
> >  CONFIG_NETFILTER_NETLINK_ACCT=m
> >  CONFIG_NETFILTER_NETLINK_QUEUE=m
> > @@ -7383,6 +7393,7 @@ CONFIG_BRANCH_PROFILE_NONE=y
> >  # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> >  # CONFIG_BLK_DEV_IO_TRACE is not set
> >  CONFIG_UPROBE_EVENTS=y
> > +CONFIG_BPF_EVENTS=y
> >  CONFIG_DYNAMIC_EVENTS=y
> >  CONFIG_PROBE_EVENTS=y
> >  CONFIG_FTRACE_MCOUNT_RECORD=y
> > diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> > index 8ce66cb4f..ec3bca2e7 100644
> > --- a/config/kernel/kernel.config.x86_64-ipfire
> > +++ b/config/kernel/kernel.config.x86_64-ipfire
> > @@ -113,9 +113,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
> >  #
> >  # BPF subsystem
> >  #
> > -# CONFIG_BPF_SYSCALL is not set
> > +CONFIG_BPF_SYSCALL=y
> >  CONFIG_BPF_JIT=y
> > +CONFIG_BPF_JIT_ALWAYS_ON=y
> >  CONFIG_BPF_JIT_DEFAULT_ON=y
> > +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> > +# CONFIG_BPF_PRELOAD is not set
> >  # end of BPF subsystem
> >
> >  CONFIG_PREEMPT_BUILD=y
> > @@ -156,6 +159,7 @@ CONFIG_TREE_SRCU=y
> >  CONFIG_TASKS_RCU_GENERIC=y
> >  CONFIG_TASKS_RCU=y
> >  CONFIG_TASKS_RUDE_RCU=y
> > +CONFIG_TASKS_TRACE_RCU=y
> >  CONFIG_RCU_STALL_COMMON=y
> >  CONFIG_RCU_NEED_SEGCBLIST=y
> >  # end of RCU Subsystem
> > @@ -199,6 +203,7 @@ CONFIG_PROC_PID_CPUSET=y
> >  CONFIG_CGROUP_DEVICE=y
> >  CONFIG_CGROUP_CPUACCT=y
> >  CONFIG_CGROUP_PERF=y
> > +# CONFIG_CGROUP_BPF is not set
> >  # CONFIG_CGROUP_MISC is not set
> >  # CONFIG_CGROUP_DEBUG is not set
> >  CONFIG_SOCK_CGROUP_DATA=y
> > @@ -1099,6 +1104,8 @@ CONFIG_XFRM_ESP=m
> >  CONFIG_XFRM_IPCOMP=m
> >  CONFIG_NET_KEY=m
> >  CONFIG_NET_KEY_MIGRATE=y
> > +CONFIG_XDP_SOCKETS=y
> > +CONFIG_XDP_SOCKETS_DIAG=m
> >  CONFIG_NET_HANDSHAKE=y
> >  CONFIG_INET=y
> >  CONFIG_IP_MULTICAST=y
> > @@ -1207,6 +1214,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
> >  CONFIG_NETFILTER_NETLINK=y
> >  CONFIG_NETFILTER_FAMILY_BRIDGE=y
> >  CONFIG_NETFILTER_FAMILY_ARP=y
> > +CONFIG_NETFILTER_BPF_LINK=y
> >  # CONFIG_NETFILTER_NETLINK_HOOK is not set
> >  CONFIG_NETFILTER_NETLINK_ACCT=m
> >  CONFIG_NETFILTER_NETLINK_QUEUE=m
> > @@ -5861,6 +5869,7 @@ CONFIG_HID_SENSOR_HUB=m
> >  #
> >  # HID-BPF support
> >  #
> > +# CONFIG_HID_BPF is not set
> >  # end of HID-BPF support
> >
> >  #

Michael Tremer April 24, 2024, 2:45 p.m. UTC | #4

Hello,

> On 22 Apr 2024, at 16:24, Vincent Li <vincent.mc.li@gmail.com> wrote:
> 
> On Sun, Apr 21, 2024 at 2:04 PM Peter Müller <peter.mueller@ipfire.org> wrote:
>> 
>> Hello Michael,
>> 
>> thank you for working on this in particular and the SYNPROXY patchset.
>> 
>> If my understanding of the situation is correct, the changes this patch
>> proposes would only be necessary for Vincent Li's DDoS mitigation that
>> leverages XDP, which remains a custom setup IPFire otherwise does not
>> support (in terms of having it documented, supported by the web interface,
>> etc.).

XDP is not configurable in the kernel. It is always compiled in as it depends on the driver whether it is being implemented.

What Vincent is asking for is to enable the BPF syscall.

>> Frankly, I still think that the misuse potential of having XDP enabled
>> outweighs the benefits of doing so, and I'd rather not see this attack
>> surface being opened by default on IPFire systems, "just" to permit one
>> single custom setup of which the exact nature and benefit still largely
>> remains unclear to me. Personally, I'd much rather see the SYNPROXY patchset
>> you submitted land in IPFire, be properly supported, and enabled by default.
> 
> What attack interface XDP exposed? I guess you mean the eBPF feature
> enabled in general
> could expose attack interfaces. the kernel config I suggested as I
> researched, only enable
> XDP/TC network functionality, no tracing functionality ( which
> requires admin privilege even enabled).

What Peter means is that the larger the codebase the larger the amount of exploitable bugs. IPFire generally tries to minimise the attack surface by disabling features that are not being used.

XDP cannot be disabled. There is not even a switch for it. So, that will always be there.

BPF cannot be disabled either as it is being enabled by default if the kernel is being compiled with network support:

  https://git.ipfire.org/?p=thirdparty/kernel/stable.git;a=blob;f=net/Kconfig;hb=ba151416051a45ffca565f708584b9cd5c971481#l10

> Enabling this allows IPFire users to customize their packet filter
> strategy, it opens up many
> possibilities, for example there is bpfilter project to improve
> iptables/nftables https://github.com/facebook/bpfilter.
> It allows innovation and progress :)

Not everything that is new is automatically innovation.

> 
>> No offense.
>> 
>> Thanks, and best regards,
>> Peter Müller
>> 
>> 
>>>  https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/S4GPL3OBFZ6LMA52JNLHIOPMNA5C3V6R/
>>> 
>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
>>> ---
>>> config/kernel/kernel.config.aarch64-ipfire | 11 ++++++++++-
>>> config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
>>> config/kernel/kernel.config.x86_64-ipfire  | 11 ++++++++++-
>>> 3 files changed, 32 insertions(+), 3 deletions(-)
>>> 
>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>> index b85d7add9..3d8282ac6 100644
>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>> @@ -93,9 +93,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
>>> #
>>> # BPF subsystem
>>> #
>>> -# CONFIG_BPF_SYSCALL is not set
>>> +CONFIG_BPF_SYSCALL=y
>>> CONFIG_BPF_JIT=y
>>> +CONFIG_BPF_JIT_ALWAYS_ON=y
>>> CONFIG_BPF_JIT_DEFAULT_ON=y
>>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
>>> +# CONFIG_BPF_PRELOAD is not set
>>> # end of BPF subsystem
>>> 
>>> CONFIG_PREEMPT_BUILD=y
>>> @@ -136,6 +139,7 @@ CONFIG_TREE_SRCU=y
>>> CONFIG_TASKS_RCU_GENERIC=y
>>> CONFIG_TASKS_RCU=y
>>> CONFIG_TASKS_RUDE_RCU=y
>>> +CONFIG_TASKS_TRACE_RCU=y
>>> CONFIG_RCU_STALL_COMMON=y
>>> CONFIG_RCU_NEED_SEGCBLIST=y
>>> # end of RCU Subsystem
>>> @@ -179,6 +183,7 @@ CONFIG_PROC_PID_CPUSET=y
>>> CONFIG_CGROUP_DEVICE=y
>>> CONFIG_CGROUP_CPUACCT=y
>>> CONFIG_CGROUP_PERF=y
>>> +# CONFIG_CGROUP_BPF is not set
>>> # CONFIG_CGROUP_MISC is not set
>>> # CONFIG_CGROUP_DEBUG is not set
>>> CONFIG_SOCK_CGROUP_DATA=y
>>> @@ -1036,6 +1041,8 @@ CONFIG_XFRM_ESP=m
>>> CONFIG_XFRM_IPCOMP=m
>>> CONFIG_NET_KEY=m
>>> CONFIG_NET_KEY_MIGRATE=y
>>> +CONFIG_XDP_SOCKETS=y
>>> +CONFIG_XDP_SOCKETS_DIAG=m
>>> CONFIG_NET_HANDSHAKE=y
>>> CONFIG_INET=y
>>> CONFIG_IP_MULTICAST=y
>>> @@ -1144,6 +1151,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
>>> CONFIG_NETFILTER_NETLINK=m
>>> CONFIG_NETFILTER_FAMILY_BRIDGE=y
>>> CONFIG_NETFILTER_FAMILY_ARP=y
>>> +CONFIG_NETFILTER_BPF_LINK=y
>>> # CONFIG_NETFILTER_NETLINK_HOOK is not set
>>> CONFIG_NETFILTER_NETLINK_ACCT=m
>>> CONFIG_NETFILTER_NETLINK_QUEUE=m
>>> @@ -6466,6 +6474,7 @@ CONFIG_HID_ZYDACRON=m
>>> #
>>> # HID-BPF support
>>> #
>>> +# CONFIG_HID_BPF is not set
>>> # end of HID-BPF support
>>> 
>>> #
>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
>>> index 2bd39e7de..fd2172a25 100644
>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>> @@ -103,8 +103,13 @@ CONFIG_HAVE_EBPF_JIT=y
>>> #
>>> # BPF subsystem
>>> #
>>> -# CONFIG_BPF_SYSCALL is not set
>>> +CONFIG_BPF_SYSCALL=y
>>> CONFIG_BPF_JIT=y
>>> +CONFIG_BPF_JIT_ALWAYS_ON=y
>>> +CONFIG_BPF_JIT_DEFAULT_ON=y
>>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
>>> +# CONFIG_BPF_PRELOAD is not set
>>> +# CONFIG_BPF_LSM is not set
>>> # end of BPF subsystem
>>> 
>>> CONFIG_PREEMPT_VOLUNTARY_BUILD=y
>>> @@ -139,6 +144,7 @@ CONFIG_TREE_RCU=y
>>> CONFIG_TREE_SRCU=y
>>> CONFIG_TASKS_RCU_GENERIC=y
>>> CONFIG_TASKS_RUDE_RCU=y
>>> +CONFIG_TASKS_TRACE_RCU=y
>>> CONFIG_RCU_STALL_COMMON=y
>>> CONFIG_RCU_NEED_SEGCBLIST=y
>>> # end of RCU Subsystem
>>> @@ -180,6 +186,7 @@ CONFIG_PROC_PID_CPUSET=y
>>> CONFIG_CGROUP_DEVICE=y
>>> CONFIG_CGROUP_CPUACCT=y
>>> CONFIG_CGROUP_PERF=y
>>> +# CONFIG_CGROUP_BPF is not set
>>> # CONFIG_CGROUP_MISC is not set
>>> # CONFIG_CGROUP_DEBUG is not set
>>> CONFIG_SOCK_CGROUP_DATA=y
>>> @@ -826,6 +833,8 @@ CONFIG_XFRM_ESP=m
>>> CONFIG_XFRM_IPCOMP=m
>>> CONFIG_NET_KEY=m
>>> CONFIG_NET_KEY_MIGRATE=y
>>> +CONFIG_XDP_SOCKETS=y
>>> +CONFIG_XDP_SOCKETS_DIAG=m
>>> CONFIG_NET_HANDSHAKE=y
>>> CONFIG_INET=y
>>> CONFIG_IP_MULTICAST=y
>>> @@ -934,6 +943,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
>>> CONFIG_NETFILTER_NETLINK=y
>>> CONFIG_NETFILTER_FAMILY_BRIDGE=y
>>> CONFIG_NETFILTER_FAMILY_ARP=y
>>> +CONFIG_NETFILTER_BPF_LINK=y
>>> # CONFIG_NETFILTER_NETLINK_HOOK is not set
>>> CONFIG_NETFILTER_NETLINK_ACCT=m
>>> CONFIG_NETFILTER_NETLINK_QUEUE=m
>>> @@ -7383,6 +7393,7 @@ CONFIG_BRANCH_PROFILE_NONE=y
>>> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
>>> # CONFIG_BLK_DEV_IO_TRACE is not set
>>> CONFIG_UPROBE_EVENTS=y
>>> +CONFIG_BPF_EVENTS=y
>>> CONFIG_DYNAMIC_EVENTS=y
>>> CONFIG_PROBE_EVENTS=y
>>> CONFIG_FTRACE_MCOUNT_RECORD=y
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>> index 8ce66cb4f..ec3bca2e7 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -113,9 +113,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
>>> #
>>> # BPF subsystem
>>> #
>>> -# CONFIG_BPF_SYSCALL is not set
>>> +CONFIG_BPF_SYSCALL=y
>>> CONFIG_BPF_JIT=y
>>> +CONFIG_BPF_JIT_ALWAYS_ON=y
>>> CONFIG_BPF_JIT_DEFAULT_ON=y
>>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
>>> +# CONFIG_BPF_PRELOAD is not set
>>> # end of BPF subsystem
>>> 
>>> CONFIG_PREEMPT_BUILD=y
>>> @@ -156,6 +159,7 @@ CONFIG_TREE_SRCU=y
>>> CONFIG_TASKS_RCU_GENERIC=y
>>> CONFIG_TASKS_RCU=y
>>> CONFIG_TASKS_RUDE_RCU=y
>>> +CONFIG_TASKS_TRACE_RCU=y
>>> CONFIG_RCU_STALL_COMMON=y
>>> CONFIG_RCU_NEED_SEGCBLIST=y
>>> # end of RCU Subsystem
>>> @@ -199,6 +203,7 @@ CONFIG_PROC_PID_CPUSET=y
>>> CONFIG_CGROUP_DEVICE=y
>>> CONFIG_CGROUP_CPUACCT=y
>>> CONFIG_CGROUP_PERF=y
>>> +# CONFIG_CGROUP_BPF is not set
>>> # CONFIG_CGROUP_MISC is not set
>>> # CONFIG_CGROUP_DEBUG is not set
>>> CONFIG_SOCK_CGROUP_DATA=y
>>> @@ -1099,6 +1104,8 @@ CONFIG_XFRM_ESP=m
>>> CONFIG_XFRM_IPCOMP=m
>>> CONFIG_NET_KEY=m
>>> CONFIG_NET_KEY_MIGRATE=y
>>> +CONFIG_XDP_SOCKETS=y
>>> +CONFIG_XDP_SOCKETS_DIAG=m
>>> CONFIG_NET_HANDSHAKE=y
>>> CONFIG_INET=y
>>> CONFIG_IP_MULTICAST=y
>>> @@ -1207,6 +1214,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
>>> CONFIG_NETFILTER_NETLINK=y
>>> CONFIG_NETFILTER_FAMILY_BRIDGE=y
>>> CONFIG_NETFILTER_FAMILY_ARP=y
>>> +CONFIG_NETFILTER_BPF_LINK=y
>>> # CONFIG_NETFILTER_NETLINK_HOOK is not set
>>> CONFIG_NETFILTER_NETLINK_ACCT=m
>>> CONFIG_NETFILTER_NETLINK_QUEUE=m
>>> @@ -5861,6 +5869,7 @@ CONFIG_HID_SENSOR_HUB=m
>>> #
>>> # HID-BPF support
>>> #
>>> +# CONFIG_HID_BPF is not set
>>> # end of HID-BPF support
>>> 
>>> #

Vincent Li April 24, 2024, 6:27 p.m. UTC | #5

On Wed, Apr 24, 2024 at 7:45 AM Michael Tremer
<michael.tremer@ipfire.org> wrote:
>
> Hello,
>
> > On 22 Apr 2024, at 16:24, Vincent Li <vincent.mc.li@gmail.com> wrote:
> >
> > On Sun, Apr 21, 2024 at 2:04 PM Peter Müller <peter.mueller@ipfire.org> wrote:
> >>
> >> Hello Michael,
> >>
> >> thank you for working on this in particular and the SYNPROXY patchset.
> >>
> >> If my understanding of the situation is correct, the changes this patch
> >> proposes would only be necessary for Vincent Li's DDoS mitigation that
> >> leverages XDP, which remains a custom setup IPFire otherwise does not
> >> support (in terms of having it documented, supported by the web interface,
> >> etc.).
>
> XDP is not configurable in the kernel. It is always compiled in as it depends on the driver whether it is being implemented.
>
> What Vincent is asking for is to enable the BPF syscall.
>
> >> Frankly, I still think that the misuse potential of having XDP enabled
> >> outweighs the benefits of doing so, and I'd rather not see this attack
> >> surface being opened by default on IPFire systems, "just" to permit one
> >> single custom setup of which the exact nature and benefit still largely
> >> remains unclear to me. Personally, I'd much rather see the SYNPROXY patchset
> >> you submitted land in IPFire, be properly supported, and enabled by default.
> >
> > What attack interface XDP exposed? I guess you mean the eBPF feature
> > enabled in general
> > could expose attack interfaces. the kernel config I suggested as I
> > researched, only enable
> > XDP/TC network functionality, no tracing functionality ( which
> > requires admin privilege even enabled).
>
> What Peter means is that the larger the codebase the larger the amount of exploitable bugs. IPFire generally tries to minimise the attack surface by disabling features that are not being used.
>
> XDP cannot be disabled. There is not even a switch for it. So, that will always be there.
>
> BPF cannot be disabled either as it is being enabled by default if the kernel is being compiled with network support:
>
>   https://git.ipfire.org/?p=thirdparty/kernel/stable.git;a=blob;f=net/Kconfig;hb=ba151416051a45ffca565f708584b9cd5c971481#l10
>
> > Enabling this allows IPFire users to customize their packet filter
> > strategy, it opens up many
> > possibilities, for example there is bpfilter project to improve
> > iptables/nftables https://github.com/facebook/bpfilter.
> > It allows innovation and progress :)
>
> Not everything that is new is automatically innovation.
>

ok, point taken, just trying to be helpful here. If the community ever
changes mind on XDP, I will be glad to help :)

> >
> >> No offense.
> >>
> >> Thanks, and best regards,
> >> Peter Müller
> >>
> >>
> >>>  https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/S4GPL3OBFZ6LMA52JNLHIOPMNA5C3V6R/
> >>>
> >>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> >>> ---
> >>> config/kernel/kernel.config.aarch64-ipfire | 11 ++++++++++-
> >>> config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
> >>> config/kernel/kernel.config.x86_64-ipfire  | 11 ++++++++++-
> >>> 3 files changed, 32 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> >>> index b85d7add9..3d8282ac6 100644
> >>> --- a/config/kernel/kernel.config.aarch64-ipfire
> >>> +++ b/config/kernel/kernel.config.aarch64-ipfire
> >>> @@ -93,9 +93,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
> >>> #
> >>> # BPF subsystem
> >>> #
> >>> -# CONFIG_BPF_SYSCALL is not set
> >>> +CONFIG_BPF_SYSCALL=y
> >>> CONFIG_BPF_JIT=y
> >>> +CONFIG_BPF_JIT_ALWAYS_ON=y
> >>> CONFIG_BPF_JIT_DEFAULT_ON=y
> >>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> >>> +# CONFIG_BPF_PRELOAD is not set
> >>> # end of BPF subsystem
> >>>
> >>> CONFIG_PREEMPT_BUILD=y
> >>> @@ -136,6 +139,7 @@ CONFIG_TREE_SRCU=y
> >>> CONFIG_TASKS_RCU_GENERIC=y
> >>> CONFIG_TASKS_RCU=y
> >>> CONFIG_TASKS_RUDE_RCU=y
> >>> +CONFIG_TASKS_TRACE_RCU=y
> >>> CONFIG_RCU_STALL_COMMON=y
> >>> CONFIG_RCU_NEED_SEGCBLIST=y
> >>> # end of RCU Subsystem
> >>> @@ -179,6 +183,7 @@ CONFIG_PROC_PID_CPUSET=y
> >>> CONFIG_CGROUP_DEVICE=y
> >>> CONFIG_CGROUP_CPUACCT=y
> >>> CONFIG_CGROUP_PERF=y
> >>> +# CONFIG_CGROUP_BPF is not set
> >>> # CONFIG_CGROUP_MISC is not set
> >>> # CONFIG_CGROUP_DEBUG is not set
> >>> CONFIG_SOCK_CGROUP_DATA=y
> >>> @@ -1036,6 +1041,8 @@ CONFIG_XFRM_ESP=m
> >>> CONFIG_XFRM_IPCOMP=m
> >>> CONFIG_NET_KEY=m
> >>> CONFIG_NET_KEY_MIGRATE=y
> >>> +CONFIG_XDP_SOCKETS=y
> >>> +CONFIG_XDP_SOCKETS_DIAG=m
> >>> CONFIG_NET_HANDSHAKE=y
> >>> CONFIG_INET=y
> >>> CONFIG_IP_MULTICAST=y
> >>> @@ -1144,6 +1151,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
> >>> CONFIG_NETFILTER_NETLINK=m
> >>> CONFIG_NETFILTER_FAMILY_BRIDGE=y
> >>> CONFIG_NETFILTER_FAMILY_ARP=y
> >>> +CONFIG_NETFILTER_BPF_LINK=y
> >>> # CONFIG_NETFILTER_NETLINK_HOOK is not set
> >>> CONFIG_NETFILTER_NETLINK_ACCT=m
> >>> CONFIG_NETFILTER_NETLINK_QUEUE=m
> >>> @@ -6466,6 +6474,7 @@ CONFIG_HID_ZYDACRON=m
> >>> #
> >>> # HID-BPF support
> >>> #
> >>> +# CONFIG_HID_BPF is not set
> >>> # end of HID-BPF support
> >>>
> >>> #
> >>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> >>> index 2bd39e7de..fd2172a25 100644
> >>> --- a/config/kernel/kernel.config.riscv64-ipfire
> >>> +++ b/config/kernel/kernel.config.riscv64-ipfire
> >>> @@ -103,8 +103,13 @@ CONFIG_HAVE_EBPF_JIT=y
> >>> #
> >>> # BPF subsystem
> >>> #
> >>> -# CONFIG_BPF_SYSCALL is not set
> >>> +CONFIG_BPF_SYSCALL=y
> >>> CONFIG_BPF_JIT=y
> >>> +CONFIG_BPF_JIT_ALWAYS_ON=y
> >>> +CONFIG_BPF_JIT_DEFAULT_ON=y
> >>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> >>> +# CONFIG_BPF_PRELOAD is not set
> >>> +# CONFIG_BPF_LSM is not set
> >>> # end of BPF subsystem
> >>>
> >>> CONFIG_PREEMPT_VOLUNTARY_BUILD=y
> >>> @@ -139,6 +144,7 @@ CONFIG_TREE_RCU=y
> >>> CONFIG_TREE_SRCU=y
> >>> CONFIG_TASKS_RCU_GENERIC=y
> >>> CONFIG_TASKS_RUDE_RCU=y
> >>> +CONFIG_TASKS_TRACE_RCU=y
> >>> CONFIG_RCU_STALL_COMMON=y
> >>> CONFIG_RCU_NEED_SEGCBLIST=y
> >>> # end of RCU Subsystem
> >>> @@ -180,6 +186,7 @@ CONFIG_PROC_PID_CPUSET=y
> >>> CONFIG_CGROUP_DEVICE=y
> >>> CONFIG_CGROUP_CPUACCT=y
> >>> CONFIG_CGROUP_PERF=y
> >>> +# CONFIG_CGROUP_BPF is not set
> >>> # CONFIG_CGROUP_MISC is not set
> >>> # CONFIG_CGROUP_DEBUG is not set
> >>> CONFIG_SOCK_CGROUP_DATA=y
> >>> @@ -826,6 +833,8 @@ CONFIG_XFRM_ESP=m
> >>> CONFIG_XFRM_IPCOMP=m
> >>> CONFIG_NET_KEY=m
> >>> CONFIG_NET_KEY_MIGRATE=y
> >>> +CONFIG_XDP_SOCKETS=y
> >>> +CONFIG_XDP_SOCKETS_DIAG=m
> >>> CONFIG_NET_HANDSHAKE=y
> >>> CONFIG_INET=y
> >>> CONFIG_IP_MULTICAST=y
> >>> @@ -934,6 +943,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
> >>> CONFIG_NETFILTER_NETLINK=y
> >>> CONFIG_NETFILTER_FAMILY_BRIDGE=y
> >>> CONFIG_NETFILTER_FAMILY_ARP=y
> >>> +CONFIG_NETFILTER_BPF_LINK=y
> >>> # CONFIG_NETFILTER_NETLINK_HOOK is not set
> >>> CONFIG_NETFILTER_NETLINK_ACCT=m
> >>> CONFIG_NETFILTER_NETLINK_QUEUE=m
> >>> @@ -7383,6 +7393,7 @@ CONFIG_BRANCH_PROFILE_NONE=y
> >>> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> >>> # CONFIG_BLK_DEV_IO_TRACE is not set
> >>> CONFIG_UPROBE_EVENTS=y
> >>> +CONFIG_BPF_EVENTS=y
> >>> CONFIG_DYNAMIC_EVENTS=y
> >>> CONFIG_PROBE_EVENTS=y
> >>> CONFIG_FTRACE_MCOUNT_RECORD=y
> >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> >>> index 8ce66cb4f..ec3bca2e7 100644
> >>> --- a/config/kernel/kernel.config.x86_64-ipfire
> >>> +++ b/config/kernel/kernel.config.x86_64-ipfire
> >>> @@ -113,9 +113,12 @@ CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
> >>> #
> >>> # BPF subsystem
> >>> #
> >>> -# CONFIG_BPF_SYSCALL is not set
> >>> +CONFIG_BPF_SYSCALL=y
> >>> CONFIG_BPF_JIT=y
> >>> +CONFIG_BPF_JIT_ALWAYS_ON=y
> >>> CONFIG_BPF_JIT_DEFAULT_ON=y
> >>> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> >>> +# CONFIG_BPF_PRELOAD is not set
> >>> # end of BPF subsystem
> >>>
> >>> CONFIG_PREEMPT_BUILD=y
> >>> @@ -156,6 +159,7 @@ CONFIG_TREE_SRCU=y
> >>> CONFIG_TASKS_RCU_GENERIC=y
> >>> CONFIG_TASKS_RCU=y
> >>> CONFIG_TASKS_RUDE_RCU=y
> >>> +CONFIG_TASKS_TRACE_RCU=y
> >>> CONFIG_RCU_STALL_COMMON=y
> >>> CONFIG_RCU_NEED_SEGCBLIST=y
> >>> # end of RCU Subsystem
> >>> @@ -199,6 +203,7 @@ CONFIG_PROC_PID_CPUSET=y
> >>> CONFIG_CGROUP_DEVICE=y
> >>> CONFIG_CGROUP_CPUACCT=y
> >>> CONFIG_CGROUP_PERF=y
> >>> +# CONFIG_CGROUP_BPF is not set
> >>> # CONFIG_CGROUP_MISC is not set
> >>> # CONFIG_CGROUP_DEBUG is not set
> >>> CONFIG_SOCK_CGROUP_DATA=y
> >>> @@ -1099,6 +1104,8 @@ CONFIG_XFRM_ESP=m
> >>> CONFIG_XFRM_IPCOMP=m
> >>> CONFIG_NET_KEY=m
> >>> CONFIG_NET_KEY_MIGRATE=y
> >>> +CONFIG_XDP_SOCKETS=y
> >>> +CONFIG_XDP_SOCKETS_DIAG=m
> >>> CONFIG_NET_HANDSHAKE=y
> >>> CONFIG_INET=y
> >>> CONFIG_IP_MULTICAST=y
> >>> @@ -1207,6 +1214,7 @@ CONFIG_NETFILTER_SKIP_EGRESS=y
> >>> CONFIG_NETFILTER_NETLINK=y
> >>> CONFIG_NETFILTER_FAMILY_BRIDGE=y
> >>> CONFIG_NETFILTER_FAMILY_ARP=y
> >>> +CONFIG_NETFILTER_BPF_LINK=y
> >>> # CONFIG_NETFILTER_NETLINK_HOOK is not set
> >>> CONFIG_NETFILTER_NETLINK_ACCT=m
> >>> CONFIG_NETFILTER_NETLINK_QUEUE=m
> >>> @@ -5861,6 +5869,7 @@ CONFIG_HID_SENSOR_HUB=m
> >>> #
> >>> # HID-BPF support
> >>> #
> >>> +# CONFIG_HID_BPF is not set
> >>> # end of HID-BPF support
> >>>
> >>> #
>
>

diff mbox series

Patch

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index b85d7add9..3d8282ac6 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -93,9 +93,12 @@  CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
 #
 # BPF subsystem
 #
-# CONFIG_BPF_SYSCALL is not set
+CONFIG_BPF_SYSCALL=y
 CONFIG_BPF_JIT=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
+# CONFIG_BPF_PRELOAD is not set
 # end of BPF subsystem
 
 CONFIG_PREEMPT_BUILD=y
@@ -136,6 +139,7 @@  CONFIG_TREE_SRCU=y
 CONFIG_TASKS_RCU_GENERIC=y
 CONFIG_TASKS_RCU=y
 CONFIG_TASKS_RUDE_RCU=y
+CONFIG_TASKS_TRACE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -179,6 +183,7 @@  CONFIG_PROC_PID_CPUSET=y
 CONFIG_CGROUP_DEVICE=y
 CONFIG_CGROUP_CPUACCT=y
 CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_BPF is not set
 # CONFIG_CGROUP_MISC is not set
 # CONFIG_CGROUP_DEBUG is not set
 CONFIG_SOCK_CGROUP_DATA=y
@@ -1036,6 +1041,8 @@  CONFIG_XFRM_ESP=m
 CONFIG_XFRM_IPCOMP=m
 CONFIG_NET_KEY=m
 CONFIG_NET_KEY_MIGRATE=y
+CONFIG_XDP_SOCKETS=y
+CONFIG_XDP_SOCKETS_DIAG=m
 CONFIG_NET_HANDSHAKE=y
 CONFIG_INET=y
 CONFIG_IP_MULTICAST=y
@@ -1144,6 +1151,7 @@  CONFIG_NETFILTER_SKIP_EGRESS=y
 CONFIG_NETFILTER_NETLINK=m
 CONFIG_NETFILTER_FAMILY_BRIDGE=y
 CONFIG_NETFILTER_FAMILY_ARP=y
+CONFIG_NETFILTER_BPF_LINK=y
 # CONFIG_NETFILTER_NETLINK_HOOK is not set
 CONFIG_NETFILTER_NETLINK_ACCT=m
 CONFIG_NETFILTER_NETLINK_QUEUE=m
@@ -6466,6 +6474,7 @@  CONFIG_HID_ZYDACRON=m
 #
 # HID-BPF support
 #
+# CONFIG_HID_BPF is not set
 # end of HID-BPF support
 
 #
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 2bd39e7de..fd2172a25 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -103,8 +103,13 @@  CONFIG_HAVE_EBPF_JIT=y
 #
 # BPF subsystem
 #
-# CONFIG_BPF_SYSCALL is not set
+CONFIG_BPF_SYSCALL=y
 CONFIG_BPF_JIT=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
+CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
+# CONFIG_BPF_PRELOAD is not set
+# CONFIG_BPF_LSM is not set
 # end of BPF subsystem
 
 CONFIG_PREEMPT_VOLUNTARY_BUILD=y
@@ -139,6 +144,7 @@  CONFIG_TREE_RCU=y
 CONFIG_TREE_SRCU=y
 CONFIG_TASKS_RCU_GENERIC=y
 CONFIG_TASKS_RUDE_RCU=y
+CONFIG_TASKS_TRACE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -180,6 +186,7 @@  CONFIG_PROC_PID_CPUSET=y
 CONFIG_CGROUP_DEVICE=y
 CONFIG_CGROUP_CPUACCT=y
 CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_BPF is not set
 # CONFIG_CGROUP_MISC is not set
 # CONFIG_CGROUP_DEBUG is not set
 CONFIG_SOCK_CGROUP_DATA=y
@@ -826,6 +833,8 @@  CONFIG_XFRM_ESP=m
 CONFIG_XFRM_IPCOMP=m
 CONFIG_NET_KEY=m
 CONFIG_NET_KEY_MIGRATE=y
+CONFIG_XDP_SOCKETS=y
+CONFIG_XDP_SOCKETS_DIAG=m
 CONFIG_NET_HANDSHAKE=y
 CONFIG_INET=y
 CONFIG_IP_MULTICAST=y
@@ -934,6 +943,7 @@  CONFIG_NETFILTER_SKIP_EGRESS=y
 CONFIG_NETFILTER_NETLINK=y
 CONFIG_NETFILTER_FAMILY_BRIDGE=y
 CONFIG_NETFILTER_FAMILY_ARP=y
+CONFIG_NETFILTER_BPF_LINK=y
 # CONFIG_NETFILTER_NETLINK_HOOK is not set
 CONFIG_NETFILTER_NETLINK_ACCT=m
 CONFIG_NETFILTER_NETLINK_QUEUE=m
@@ -7383,6 +7393,7 @@  CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
 # CONFIG_BLK_DEV_IO_TRACE is not set
 CONFIG_UPROBE_EVENTS=y
+CONFIG_BPF_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
 CONFIG_FTRACE_MCOUNT_RECORD=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 8ce66cb4f..ec3bca2e7 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -113,9 +113,12 @@  CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
 #
 # BPF subsystem
 #
-# CONFIG_BPF_SYSCALL is not set
+CONFIG_BPF_SYSCALL=y
 CONFIG_BPF_JIT=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
+# CONFIG_BPF_PRELOAD is not set
 # end of BPF subsystem
 
 CONFIG_PREEMPT_BUILD=y
@@ -156,6 +159,7 @@  CONFIG_TREE_SRCU=y
 CONFIG_TASKS_RCU_GENERIC=y
 CONFIG_TASKS_RCU=y
 CONFIG_TASKS_RUDE_RCU=y
+CONFIG_TASKS_TRACE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -199,6 +203,7 @@  CONFIG_PROC_PID_CPUSET=y
 CONFIG_CGROUP_DEVICE=y
 CONFIG_CGROUP_CPUACCT=y
 CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_BPF is not set
 # CONFIG_CGROUP_MISC is not set
 # CONFIG_CGROUP_DEBUG is not set
 CONFIG_SOCK_CGROUP_DATA=y
@@ -1099,6 +1104,8 @@  CONFIG_XFRM_ESP=m
 CONFIG_XFRM_IPCOMP=m
 CONFIG_NET_KEY=m
 CONFIG_NET_KEY_MIGRATE=y
+CONFIG_XDP_SOCKETS=y
+CONFIG_XDP_SOCKETS_DIAG=m
 CONFIG_NET_HANDSHAKE=y
 CONFIG_INET=y
 CONFIG_IP_MULTICAST=y
@@ -1207,6 +1214,7 @@  CONFIG_NETFILTER_SKIP_EGRESS=y
 CONFIG_NETFILTER_NETLINK=y
 CONFIG_NETFILTER_FAMILY_BRIDGE=y
 CONFIG_NETFILTER_FAMILY_ARP=y
+CONFIG_NETFILTER_BPF_LINK=y
 # CONFIG_NETFILTER_NETLINK_HOOK is not set
 CONFIG_NETFILTER_NETLINK_ACCT=m
 CONFIG_NETFILTER_NETLINK_QUEUE=m
@@ -5861,6 +5869,7 @@  CONFIG_HID_SENSOR_HUB=m
 #
 # HID-BPF support
 #
+# CONFIG_HID_BPF is not set
 # end of HID-BPF support
 
 #