bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: David Laight <David.Laight@ACULAB.COM>
To: 'Stanislav Fomichev' <sdf@google.com>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	"bpf@vger.kernel.org" <bpf@vger.kernel.org>
Cc: "davem@davemloft.net" <davem@davemloft.net>,
	"ast@kernel.org" <ast@kernel.org>,
	"daniel@iogearbox.net" <daniel@iogearbox.net>
Subject: RE: [PATCH bpf v2] bpf: increase {get,set}sockopt optval size limit
Date: Sun, 7 Jun 2020 13:35:48 +0000	[thread overview]
Message-ID: <676ee05282404ea98e5de55d0c254902@AcuMS.aculab.com> (raw)
In-Reply-To: <20200605002155.93267-1-sdf@google.com>

From: Stanislav Fomichev
> Sent: 05 June 2020 01:22
> Attaching to these hooks can break iptables because its optval is
> usually quite big, or at least bigger than the current PAGE_SIZE limit.
> 
> There are two possible ways to fix it:
> 1. Increase the limit to match iptables max optval.
> 2. Implement some way to bypass the value if it's too big and trigger
>    BPF only with level/optname so BPF can still decide whether
>    to allow/deny big sockopts.
> 
> I went with #1 which means we are potentially increasing the
> amount of data we copy from the userspace from PAGE_SIZE to 512M.
...
> +	const int max_supported_optlen = 512 * 1024 * 1024 + 128;

512MB seems a bit big.
I'd have thought that iptables would be usable from a 32bit application
where that is 1/6th the process address space.
Anything that might be that big ought to be done in chunks.

I was looking at the SCTP socket option code.
ISTR that may require just over 256kB - still silly, but not as bad.

SCTP also requires that getsockopt() copy the buffer in from userspace.
One call required more than a 'sockaddr storage' be read in.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

      parent reply	other threads:[~2020-06-07 13:35 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-05  0:21 [PATCH bpf v2] bpf: increase {get,set}sockopt optval size limit Stanislav Fomichev
2020-06-05  4:35 ` Alexei Starovoitov
2020-06-05 16:13   ` sdf
2020-06-07 13:35 ` David Laight [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=676ee05282404ea98e5de55d0c254902@AcuMS.aculab.com \
    --to=david.laight@aculab.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=sdf@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).