2019-04-19 05:35:54 +08:00
|
|
|
================================
|
|
|
|
Documentation for /proc/sys/net/
|
|
|
|
================================
|
2009-04-03 07:57:20 +08:00
|
|
|
|
2019-04-19 05:35:54 +08:00
|
|
|
Copyright
|
2009-04-03 07:57:20 +08:00
|
|
|
|
2019-04-19 05:35:54 +08:00
|
|
|
Copyright (c) 1999
|
|
|
|
|
|
|
|
- Terrehon Bowden <terrehon@pacbell.net>
|
|
|
|
- Bodo Bauer <bb@ricochet.net>
|
|
|
|
|
|
|
|
Copyright (c) 2000
|
|
|
|
|
|
|
|
- Jorge Nerin <comandante@zaralinux.com>
|
|
|
|
|
|
|
|
Copyright (c) 2009
|
|
|
|
|
|
|
|
- Shen Feng <shen@cn.fujitsu.com>
|
|
|
|
|
|
|
|
For general info and legal blurb, please look in index.rst.
|
|
|
|
|
|
|
|
------------------------------------------------------------------------------
|
2009-04-03 07:57:20 +08:00
|
|
|
|
|
|
|
This file contains the documentation for the sysctl files in
|
2013-06-22 02:56:12 +08:00
|
|
|
/proc/sys/net
|
2009-04-03 07:57:20 +08:00
|
|
|
|
|
|
|
The interface to the networking parts of the kernel is located in
|
2013-06-22 02:56:12 +08:00
|
|
|
/proc/sys/net. The following table shows all possible subdirectories. You may
|
2009-04-03 07:57:20 +08:00
|
|
|
see only some of them, depending on your kernel's configuration.
|
|
|
|
|
|
|
|
|
|
|
|
Table : Subdirectories in /proc/sys/net
|
2019-04-19 05:35:54 +08:00
|
|
|
|
|
|
|
========= =================== = ========== ==================
|
|
|
|
Directory Content Directory Content
|
|
|
|
========= =================== = ========== ==================
|
|
|
|
core General parameter appletalk Appletalk protocol
|
|
|
|
unix Unix domain sockets netrom NET/ROM
|
|
|
|
802 E802 protocol ax25 AX25
|
|
|
|
ethernet Ethernet protocol rose X.25 PLP layer
|
|
|
|
ipv4 IP version 4 x25 X.25 protocol
|
|
|
|
bridge Bridging decnet DEC net
|
|
|
|
ipv6 IP version 6 tipc TIPC
|
|
|
|
========= =================== = ========== ==================
|
2009-04-03 07:57:20 +08:00
|
|
|
|
|
|
|
1. /proc/sys/net/core - Network core options
|
2019-04-19 05:35:54 +08:00
|
|
|
============================================
|
2009-04-03 07:57:20 +08:00
|
|
|
|
2011-04-20 17:27:32 +08:00
|
|
|
bpf_jit_enable
|
|
|
|
--------------
|
|
|
|
|
2017-08-18 23:11:06 +08:00
|
|
|
This enables the BPF Just in Time (JIT) compiler. BPF is a flexible
|
|
|
|
and efficient infrastructure allowing to execute bytecode at various
|
|
|
|
hook points. It is used in a number of Linux kernel subsystems such
|
|
|
|
as networking (e.g. XDP, tc), tracing (e.g. kprobes, uprobes, tracepoints)
|
|
|
|
and security (e.g. seccomp). LLVM has a BPF back end that can compile
|
|
|
|
restricted C into a sequence of BPF instructions. After program load
|
|
|
|
through bpf(2) and passing a verifier in the kernel, a JIT will then
|
|
|
|
translate these BPF proglets into native CPU instructions. There are
|
|
|
|
two flavors of JITs, the newer eBPF JIT currently supported on:
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2017-08-17 18:30:39 +08:00
|
|
|
- x86_64
|
bpf, x86_32: add eBPF JIT compiler for ia32
The JIT compiler emits ia32 bit instructions. Currently, It supports eBPF
only. Classic BPF is supported because of the conversion by BPF core.
Almost all instructions from eBPF ISA supported except the following:
BPF_ALU64 | BPF_DIV | BPF_K
BPF_ALU64 | BPF_DIV | BPF_X
BPF_ALU64 | BPF_MOD | BPF_K
BPF_ALU64 | BPF_MOD | BPF_X
BPF_STX | BPF_XADD | BPF_W
BPF_STX | BPF_XADD | BPF_DW
It doesn't support BPF_JMP|BPF_CALL with BPF_PSEUDO_CALL at the moment.
IA32 has few general purpose registers, EAX|EDX|ECX|EBX|ESI|EDI. I use
EAX|EDX|ECX|EBX as temporary registers to simulate instructions in eBPF
ISA, and allocate ESI|EDI to BPF_REG_AX for constant blinding, all others
eBPF registers, R0-R10, are simulated through scratch space on stack.
The reasons behind the hardware registers allocation policy are:
1:MUL need EAX:EDX, shift operation need ECX, so they aren't fit
for general eBPF 64bit register simulation.
2:We need at least 4 registers to simulate most eBPF ISA operations
on registers operands instead of on register&memory operands.
3:We need to put BPF_REG_AX on hardware registers, or constant blinding
will degrade jit performance heavily.
Tested on PC (Intel(R) Core(TM) i5-5200U CPU).
Testing results on i5-5200U:
1) test_bpf: Summary: 349 PASSED, 0 FAILED, [319/341 JIT'ed]
2) test_progs: Summary: 83 PASSED, 0 FAILED.
3) test_lpm: OK
4) test_lru_map: OK
5) test_verifier: Summary: 828 PASSED, 0 FAILED.
Above tests are all done in following two conditions separately:
1:bpf_jit_enable=1 and bpf_jit_harden=0
2:bpf_jit_enable=1 and bpf_jit_harden=2
Below are some numbers for this jit implementation:
Note:
I run test_progs in kselftest 100 times continuously for every condition,
the numbers are in format: total/times=avg.
The numbers that test_bpf reports show almost the same relation.
a:jit_enable=0 and jit_harden=0 b:jit_enable=1 and jit_harden=0
test_pkt_access:PASS:ipv4:15622/100=156 test_pkt_access:PASS:ipv4:10674/100=106
test_pkt_access:PASS:ipv6:9130/100=91 test_pkt_access:PASS:ipv6:4855/100=48
test_xdp:PASS:ipv4:240198/100=2401 test_xdp:PASS:ipv4:138912/100=1389
test_xdp:PASS:ipv6:137326/100=1373 test_xdp:PASS:ipv6:68542/100=685
test_l4lb:PASS:ipv4:61100/100=611 test_l4lb:PASS:ipv4:37302/100=373
test_l4lb:PASS:ipv6:101000/100=1010 test_l4lb:PASS:ipv6:55030/100=550
c:jit_enable=1 and jit_harden=2
test_pkt_access:PASS:ipv4:10558/100=105
test_pkt_access:PASS:ipv6:5092/100=50
test_xdp:PASS:ipv4:131902/100=1319
test_xdp:PASS:ipv6:77932/100=779
test_l4lb:PASS:ipv4:38924/100=389
test_l4lb:PASS:ipv6:57520/100=575
The numbers show we get 30%~50% improvement.
See Documentation/networking/filter.txt for more information.
Changelog:
Changes v5-v6:
1:Add do {} while (0) to RETPOLINE_RAX_BPF_JIT for
consistence reason.
2:Clean up non-standard comments, reported by Daniel Borkmann.
3:Fix a memory leak issue, repoted by Daniel Borkmann.
Changes v4-v5:
1:Delete is_on_stack, BPF_REG_AX is the only one
on real hardware registers, so just check with
it.
2:Apply commit 1612a981b766 ("bpf, x64: fix JIT emission
for dead code"), suggested by Daniel Borkmann.
Changes v3-v4:
1:Fix changelog in commit.
I install llvm-6.0, then test_progs willn't report errors.
I submit another patch:
"bpf: fix misaligned access for BPF_PROG_TYPE_PERF_EVENT program type on x86_32 platform"
to fix another problem, after that patch, test_verifier willn't report errors too.
2:Fix clear r0[1] twice unnecessarily in *BPF_IND|BPF_ABS* simulation.
Changes v2-v3:
1:Move BPF_REG_AX to real hardware registers for performance reason.
3:Using bpf_load_pointer instead of bpf_jit32.S, suggested by Daniel Borkmann.
4:Delete partial codes in 1c2a088a6626, suggested by Daniel Borkmann.
5:Some bug fixes and comments improvement.
Changes v1-v2:
1:Fix bug in emit_ia32_neg64.
2:Fix bug in emit_ia32_arsh_r64.
3:Delete filename in top level comment, suggested by Thomas Gleixner.
4:Delete unnecessary boiler plate text, suggested by Thomas Gleixner.
5:Rewrite some words in changelog.
6:CodingSytle improvement and a little more comments.
Signed-off-by: Wang YanQing <udknight@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2018-05-03 14:10:43 +08:00
|
|
|
- x86_32
|
2017-08-17 18:30:39 +08:00
|
|
|
- arm64
|
2017-08-23 23:59:10 +08:00
|
|
|
- arm32
|
2017-08-17 18:30:39 +08:00
|
|
|
- ppc64
|
|
|
|
- sparc64
|
|
|
|
- mips64
|
2017-08-21 06:26:03 +08:00
|
|
|
- s390x
|
2020-03-05 13:02:06 +08:00
|
|
|
- riscv64
|
|
|
|
- riscv32
|
2017-08-17 18:30:39 +08:00
|
|
|
|
2017-08-18 23:11:06 +08:00
|
|
|
And the older cBPF JIT supported on the following archs:
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2017-08-17 18:30:39 +08:00
|
|
|
- mips
|
|
|
|
- ppc
|
|
|
|
- sparc
|
|
|
|
|
2017-08-18 23:11:06 +08:00
|
|
|
eBPF JITs are a superset of cBPF JITs, meaning the kernel will
|
|
|
|
migrate cBPF instructions into eBPF instructions and then JIT
|
|
|
|
compile them transparently. Older cBPF JITs can only translate
|
|
|
|
tcpdump filters, seccomp rules, etc, but not mentioned eBPF
|
|
|
|
programs loaded through bpf(2).
|
2017-08-17 18:30:39 +08:00
|
|
|
|
2019-04-19 05:35:54 +08:00
|
|
|
Values:
|
|
|
|
|
|
|
|
- 0 - disable the JIT (default value)
|
|
|
|
- 1 - enable the JIT
|
|
|
|
- 2 - enable the JIT and ask the compiler to emit traces on kernel log.
|
2011-04-20 17:27:32 +08:00
|
|
|
|
bpf: add generic constant blinding for use in jits
This work adds a generic facility for use from eBPF JIT compilers
that allows for further hardening of JIT generated images through
blinding constants. In response to the original work on BPF JIT
spraying published by Keegan McAllister [1], most BPF JITs were
changed to make images read-only and start at a randomized offset
in the page, where the rest was filled with trap instructions. We
have this nowadays in x86, arm, arm64 and s390 JIT compilers.
Additionally, later work also made eBPF interpreter images read
only for kernels supporting DEBUG_SET_MODULE_RONX, that is, x86,
arm, arm64 and s390 archs as well currently. This is done by
default for mentioned JITs when JITing is enabled. Furthermore,
we had a generic and configurable constant blinding facility on our
todo for quite some time now to further make spraying harder, and
first implementation since around netconf 2016.
We found that for systems where untrusted users can load cBPF/eBPF
code where JIT is enabled, start offset randomization helps a bit
to make jumps into crafted payload harder, but in case where larger
programs that cross page boundary are injected, we again have some
part of the program opcodes at a page start offset. With improved
guessing and more reliable payload injection, chances can increase
to jump into such payload. Elena Reshetova recently wrote a test
case for it [2, 3]. Moreover, eBPF comes with 64 bit constants, which
can leave some more room for payloads. Note that for all this,
additional bugs in the kernel are still required to make the jump
(and of course to guess right, to not jump into a trap) and naturally
the JIT must be enabled, which is disabled by default.
For helping mitigation, the general idea is to provide an option
bpf_jit_harden that admins can tweak along with bpf_jit_enable, so
that for cases where JIT should be enabled for performance reasons,
the generated image can be further hardened with blinding constants
for unpriviledged users (bpf_jit_harden == 1), with trading off
performance for these, but not for privileged ones. We also added
the option of blinding for all users (bpf_jit_harden == 2), which
is quite helpful for testing f.e. with test_bpf.ko. There are no
further e.g. hardening levels of bpf_jit_harden switch intended,
rationale is to have it dead simple to use as on/off. Since this
functionality would need to be duplicated over and over for JIT
compilers to use, which are already complex enough, we provide a
generic eBPF byte-code level based blinding implementation, which is
then just transparently JITed. JIT compilers need to make only a few
changes to integrate this facility and can be migrated one by one.
This option is for eBPF JITs and will be used in x86, arm64, s390
without too much effort, and soon ppc64 JITs, thus that native eBPF
can be blinded as well as cBPF to eBPF migrations, so that both can
be covered with a single implementation. The rule for JITs is that
bpf_jit_blind_constants() must be called from bpf_int_jit_compile(),
and in case blinding is disabled, we follow normally with JITing the
passed program. In case blinding is enabled and we fail during the
process of blinding itself, we must return with the interpreter.
Similarly, in case the JITing process after the blinding failed, we
return normally to the interpreter with the non-blinded code. Meaning,
interpreter doesn't change in any way and operates on eBPF code as
usual. For doing this pre-JIT blinding step, we need to make use of
a helper/auxiliary register, here BPF_REG_AX. This is strictly internal
to the JIT and not in any way part of the eBPF architecture. Just like
in the same way as JITs internally make use of some helper registers
when emitting code, only that here the helper register is one
abstraction level higher in eBPF bytecode, but nevertheless in JIT
phase. That helper register is needed since f.e. manually written
program can issue loads to all registers of eBPF architecture.
The core concept with the additional register is: blind out all 32
and 64 bit constants by converting BPF_K based instructions into a
small sequence from K_VAL into ((RND ^ K_VAL) ^ RND). Therefore, this
is transformed into: BPF_REG_AX := (RND ^ K_VAL), BPF_REG_AX ^= RND,
and REG <OP> BPF_REG_AX, so actual operation on the target register
is translated from BPF_K into BPF_X one that is operating on
BPF_REG_AX's content. During rewriting phase when blinding, RND is
newly generated via prandom_u32() for each processed instruction.
64 bit loads are split into two 32 bit loads to make translation and
patching not too complex. Only basic thing required by JITs is to
call the helper bpf_jit_blind_constants()/bpf_jit_prog_release_other()
pair, and to map BPF_REG_AX into an unused register.
Small bpf_jit_disasm extract from [2] when applied to x86 JIT:
echo 0 > /proc/sys/net/core/bpf_jit_harden
ffffffffa034f5e9 + <x>:
[...]
39: mov $0xa8909090,%eax
3e: mov $0xa8909090,%eax
43: mov $0xa8ff3148,%eax
48: mov $0xa89081b4,%eax
4d: mov $0xa8900bb0,%eax
52: mov $0xa810e0c1,%eax
57: mov $0xa8908eb4,%eax
5c: mov $0xa89020b0,%eax
[...]
echo 1 > /proc/sys/net/core/bpf_jit_harden
ffffffffa034f1e5 + <x>:
[...]
39: mov $0xe1192563,%r10d
3f: xor $0x4989b5f3,%r10d
46: mov %r10d,%eax
49: mov $0xb8296d93,%r10d
4f: xor $0x10b9fd03,%r10d
56: mov %r10d,%eax
59: mov $0x8c381146,%r10d
5f: xor $0x24c7200e,%r10d
66: mov %r10d,%eax
69: mov $0xeb2a830e,%r10d
6f: xor $0x43ba02ba,%r10d
76: mov %r10d,%eax
79: mov $0xd9730af,%r10d
7f: xor $0xa5073b1f,%r10d
86: mov %r10d,%eax
89: mov $0x9a45662b,%r10d
8f: xor $0x325586ea,%r10d
96: mov %r10d,%eax
[...]
As can be seen, original constants that carry payload are hidden
when enabled, actual operations are transformed from constant-based
to register-based ones, making jumps into constants ineffective.
Above extract/example uses single BPF load instruction over and
over, but of course all instructions with constants are blinded.
Performance wise, JIT with blinding performs a bit slower than just
JIT and faster than interpreter case. This is expected, since we
still get all the performance benefits from JITing and in normal
use-cases not every single instruction needs to be blinded. Summing
up all 296 test cases averaged over multiple runs from test_bpf.ko
suite, interpreter was 55% slower than JIT only and JIT with blinding
was 8% slower than JIT only. Since there are also some extremes in
the test suite, I expect for ordinary workloads that the performance
for the JIT with blinding case is even closer to JIT only case,
f.e. nmap test case from suite has averaged timings in ns 29 (JIT),
35 (+ blinding), and 151 (interpreter).
BPF test suite, seccomp test suite, eBPF sample code and various
bigger networking eBPF programs have been tested with this and were
running fine. For testing purposes, I also adapted interpreter and
redirected blinded eBPF image to interpreter and also here all tests
pass.
[1] http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
[2] https://github.com/01org/jit-spray-poc-for-ksp/
[3] http://www.openwall.com/lists/kernel-hardening/2016/05/03/5
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Elena Reshetova <elena.reshetova@intel.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-05-14 01:08:32 +08:00
|
|
|
bpf_jit_harden
|
|
|
|
--------------
|
|
|
|
|
2017-08-18 23:11:06 +08:00
|
|
|
This enables hardening for the BPF JIT compiler. Supported are eBPF
|
|
|
|
JIT backends. Enabling hardening trades off performance, but can
|
|
|
|
mitigate JIT spraying.
|
2019-04-19 05:35:54 +08:00
|
|
|
|
|
|
|
Values:
|
|
|
|
|
|
|
|
- 0 - disable JIT hardening (default value)
|
|
|
|
- 1 - enable JIT hardening for unprivileged users only
|
|
|
|
- 2 - enable JIT hardening for all users
|
bpf: add generic constant blinding for use in jits
This work adds a generic facility for use from eBPF JIT compilers
that allows for further hardening of JIT generated images through
blinding constants. In response to the original work on BPF JIT
spraying published by Keegan McAllister [1], most BPF JITs were
changed to make images read-only and start at a randomized offset
in the page, where the rest was filled with trap instructions. We
have this nowadays in x86, arm, arm64 and s390 JIT compilers.
Additionally, later work also made eBPF interpreter images read
only for kernels supporting DEBUG_SET_MODULE_RONX, that is, x86,
arm, arm64 and s390 archs as well currently. This is done by
default for mentioned JITs when JITing is enabled. Furthermore,
we had a generic and configurable constant blinding facility on our
todo for quite some time now to further make spraying harder, and
first implementation since around netconf 2016.
We found that for systems where untrusted users can load cBPF/eBPF
code where JIT is enabled, start offset randomization helps a bit
to make jumps into crafted payload harder, but in case where larger
programs that cross page boundary are injected, we again have some
part of the program opcodes at a page start offset. With improved
guessing and more reliable payload injection, chances can increase
to jump into such payload. Elena Reshetova recently wrote a test
case for it [2, 3]. Moreover, eBPF comes with 64 bit constants, which
can leave some more room for payloads. Note that for all this,
additional bugs in the kernel are still required to make the jump
(and of course to guess right, to not jump into a trap) and naturally
the JIT must be enabled, which is disabled by default.
For helping mitigation, the general idea is to provide an option
bpf_jit_harden that admins can tweak along with bpf_jit_enable, so
that for cases where JIT should be enabled for performance reasons,
the generated image can be further hardened with blinding constants
for unpriviledged users (bpf_jit_harden == 1), with trading off
performance for these, but not for privileged ones. We also added
the option of blinding for all users (bpf_jit_harden == 2), which
is quite helpful for testing f.e. with test_bpf.ko. There are no
further e.g. hardening levels of bpf_jit_harden switch intended,
rationale is to have it dead simple to use as on/off. Since this
functionality would need to be duplicated over and over for JIT
compilers to use, which are already complex enough, we provide a
generic eBPF byte-code level based blinding implementation, which is
then just transparently JITed. JIT compilers need to make only a few
changes to integrate this facility and can be migrated one by one.
This option is for eBPF JITs and will be used in x86, arm64, s390
without too much effort, and soon ppc64 JITs, thus that native eBPF
can be blinded as well as cBPF to eBPF migrations, so that both can
be covered with a single implementation. The rule for JITs is that
bpf_jit_blind_constants() must be called from bpf_int_jit_compile(),
and in case blinding is disabled, we follow normally with JITing the
passed program. In case blinding is enabled and we fail during the
process of blinding itself, we must return with the interpreter.
Similarly, in case the JITing process after the blinding failed, we
return normally to the interpreter with the non-blinded code. Meaning,
interpreter doesn't change in any way and operates on eBPF code as
usual. For doing this pre-JIT blinding step, we need to make use of
a helper/auxiliary register, here BPF_REG_AX. This is strictly internal
to the JIT and not in any way part of the eBPF architecture. Just like
in the same way as JITs internally make use of some helper registers
when emitting code, only that here the helper register is one
abstraction level higher in eBPF bytecode, but nevertheless in JIT
phase. That helper register is needed since f.e. manually written
program can issue loads to all registers of eBPF architecture.
The core concept with the additional register is: blind out all 32
and 64 bit constants by converting BPF_K based instructions into a
small sequence from K_VAL into ((RND ^ K_VAL) ^ RND). Therefore, this
is transformed into: BPF_REG_AX := (RND ^ K_VAL), BPF_REG_AX ^= RND,
and REG <OP> BPF_REG_AX, so actual operation on the target register
is translated from BPF_K into BPF_X one that is operating on
BPF_REG_AX's content. During rewriting phase when blinding, RND is
newly generated via prandom_u32() for each processed instruction.
64 bit loads are split into two 32 bit loads to make translation and
patching not too complex. Only basic thing required by JITs is to
call the helper bpf_jit_blind_constants()/bpf_jit_prog_release_other()
pair, and to map BPF_REG_AX into an unused register.
Small bpf_jit_disasm extract from [2] when applied to x86 JIT:
echo 0 > /proc/sys/net/core/bpf_jit_harden
ffffffffa034f5e9 + <x>:
[...]
39: mov $0xa8909090,%eax
3e: mov $0xa8909090,%eax
43: mov $0xa8ff3148,%eax
48: mov $0xa89081b4,%eax
4d: mov $0xa8900bb0,%eax
52: mov $0xa810e0c1,%eax
57: mov $0xa8908eb4,%eax
5c: mov $0xa89020b0,%eax
[...]
echo 1 > /proc/sys/net/core/bpf_jit_harden
ffffffffa034f1e5 + <x>:
[...]
39: mov $0xe1192563,%r10d
3f: xor $0x4989b5f3,%r10d
46: mov %r10d,%eax
49: mov $0xb8296d93,%r10d
4f: xor $0x10b9fd03,%r10d
56: mov %r10d,%eax
59: mov $0x8c381146,%r10d
5f: xor $0x24c7200e,%r10d
66: mov %r10d,%eax
69: mov $0xeb2a830e,%r10d
6f: xor $0x43ba02ba,%r10d
76: mov %r10d,%eax
79: mov $0xd9730af,%r10d
7f: xor $0xa5073b1f,%r10d
86: mov %r10d,%eax
89: mov $0x9a45662b,%r10d
8f: xor $0x325586ea,%r10d
96: mov %r10d,%eax
[...]
As can be seen, original constants that carry payload are hidden
when enabled, actual operations are transformed from constant-based
to register-based ones, making jumps into constants ineffective.
Above extract/example uses single BPF load instruction over and
over, but of course all instructions with constants are blinded.
Performance wise, JIT with blinding performs a bit slower than just
JIT and faster than interpreter case. This is expected, since we
still get all the performance benefits from JITing and in normal
use-cases not every single instruction needs to be blinded. Summing
up all 296 test cases averaged over multiple runs from test_bpf.ko
suite, interpreter was 55% slower than JIT only and JIT with blinding
was 8% slower than JIT only. Since there are also some extremes in
the test suite, I expect for ordinary workloads that the performance
for the JIT with blinding case is even closer to JIT only case,
f.e. nmap test case from suite has averaged timings in ns 29 (JIT),
35 (+ blinding), and 151 (interpreter).
BPF test suite, seccomp test suite, eBPF sample code and various
bigger networking eBPF programs have been tested with this and were
running fine. For testing purposes, I also adapted interpreter and
redirected blinded eBPF image to interpreter and also here all tests
pass.
[1] http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
[2] https://github.com/01org/jit-spray-poc-for-ksp/
[3] http://www.openwall.com/lists/kernel-hardening/2016/05/03/5
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Elena Reshetova <elena.reshetova@intel.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-05-14 01:08:32 +08:00
|
|
|
|
bpf: make jited programs visible in traces
Long standing issue with JITed programs is that stack traces from
function tracing check whether a given address is kernel code
through {__,}kernel_text_address(), which checks for code in core
kernel, modules and dynamically allocated ftrace trampolines. But
what is still missing is BPF JITed programs (interpreted programs
are not an issue as __bpf_prog_run() will be attributed to them),
thus when a stack trace is triggered, the code walking the stack
won't see any of the JITed ones. The same for address correlation
done from user space via reading /proc/kallsyms. This is read by
tools like perf, but the latter is also useful for permanent live
tracing with eBPF itself in combination with stack maps when other
eBPF types are part of the callchain. See offwaketime example on
dumping stack from a map.
This work tries to tackle that issue by making the addresses and
symbols known to the kernel. The lookup from *kernel_text_address()
is implemented through a latched RB tree that can be read under
RCU in fast-path that is also shared for symbol/size/offset lookup
for a specific given address in kallsyms. The slow-path iteration
through all symbols in the seq file done via RCU list, which holds
a tiny fraction of all exported ksyms, usually below 0.1 percent.
Function symbols are exported as bpf_prog_<tag>, in order to aide
debugging and attribution. This facility is currently enabled for
root-only when bpf_jit_kallsyms is set to 1, and disabled if hardening
is active in any mode. The rationale behind this is that still a lot
of systems ship with world read permissions on kallsyms thus addresses
should not get suddenly exposed for them. If that situation gets
much better in future, we always have the option to change the
default on this. Likewise, unprivileged programs are not allowed
to add entries there either, but that is less of a concern as most
such programs types relevant in this context are for root-only anyway.
If enabled, call graphs and stack traces will then show a correct
attribution; one example is illustrated below, where the trace is
now visible in tooling such as perf script --kallsyms=/proc/kallsyms
and friends.
Before:
7fff8166889d bpf_clone_redirect+0x80007f0020ed (/lib/modules/4.9.0-rc8+/build/vmlinux)
f5d80 __sendmsg_nocancel+0xffff006451f1a007 (/usr/lib64/libc-2.18.so)
After:
7fff816688b7 bpf_clone_redirect+0x80007f002107 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fffa0575728 bpf_prog_33c45a467c9e061a+0x8000600020fb (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fffa07ef1fc cls_bpf_classify+0x8000600020dc (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff81678b68 tc_classify+0x80007f002078 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164d40b __netif_receive_skb_core+0x80007f0025fb (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164d718 __netif_receive_skb+0x80007f002018 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164e565 process_backlog+0x80007f002095 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164dc71 net_rx_action+0x80007f002231 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff81767461 __softirqentry_text_start+0x80007f0020d1 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff817658ac do_softirq_own_stack+0x80007f00201c (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff810a2c20 do_softirq+0x80007f002050 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff810a2cb5 __local_bh_enable_ip+0x80007f002085 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8168d452 ip_finish_output2+0x80007f002152 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8168ea3d ip_finish_output+0x80007f00217d (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8168f2af ip_output+0x80007f00203f (/lib/modules/4.9.0-rc8+/build/vmlinux)
[...]
7fff81005854 do_syscall_64+0x80007f002054 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff817649eb return_from_SYSCALL_64+0x80007f002000 (/lib/modules/4.9.0-rc8+/build/vmlinux)
f5d80 __sendmsg_nocancel+0xffff01c484812007 (/usr/lib64/libc-2.18.so)
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-17 05:24:50 +08:00
|
|
|
bpf_jit_kallsyms
|
|
|
|
----------------
|
|
|
|
|
2017-08-18 23:11:06 +08:00
|
|
|
When BPF JIT compiler is enabled, then compiled images are unknown
|
|
|
|
addresses to the kernel, meaning they neither show up in traces nor
|
|
|
|
in /proc/kallsyms. This enables export of these addresses, which can
|
|
|
|
be used for debugging/tracing. If bpf_jit_harden is enabled, this
|
|
|
|
feature is disabled.
|
2019-04-19 05:35:54 +08:00
|
|
|
|
bpf: make jited programs visible in traces
Long standing issue with JITed programs is that stack traces from
function tracing check whether a given address is kernel code
through {__,}kernel_text_address(), which checks for code in core
kernel, modules and dynamically allocated ftrace trampolines. But
what is still missing is BPF JITed programs (interpreted programs
are not an issue as __bpf_prog_run() will be attributed to them),
thus when a stack trace is triggered, the code walking the stack
won't see any of the JITed ones. The same for address correlation
done from user space via reading /proc/kallsyms. This is read by
tools like perf, but the latter is also useful for permanent live
tracing with eBPF itself in combination with stack maps when other
eBPF types are part of the callchain. See offwaketime example on
dumping stack from a map.
This work tries to tackle that issue by making the addresses and
symbols known to the kernel. The lookup from *kernel_text_address()
is implemented through a latched RB tree that can be read under
RCU in fast-path that is also shared for symbol/size/offset lookup
for a specific given address in kallsyms. The slow-path iteration
through all symbols in the seq file done via RCU list, which holds
a tiny fraction of all exported ksyms, usually below 0.1 percent.
Function symbols are exported as bpf_prog_<tag>, in order to aide
debugging and attribution. This facility is currently enabled for
root-only when bpf_jit_kallsyms is set to 1, and disabled if hardening
is active in any mode. The rationale behind this is that still a lot
of systems ship with world read permissions on kallsyms thus addresses
should not get suddenly exposed for them. If that situation gets
much better in future, we always have the option to change the
default on this. Likewise, unprivileged programs are not allowed
to add entries there either, but that is less of a concern as most
such programs types relevant in this context are for root-only anyway.
If enabled, call graphs and stack traces will then show a correct
attribution; one example is illustrated below, where the trace is
now visible in tooling such as perf script --kallsyms=/proc/kallsyms
and friends.
Before:
7fff8166889d bpf_clone_redirect+0x80007f0020ed (/lib/modules/4.9.0-rc8+/build/vmlinux)
f5d80 __sendmsg_nocancel+0xffff006451f1a007 (/usr/lib64/libc-2.18.so)
After:
7fff816688b7 bpf_clone_redirect+0x80007f002107 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fffa0575728 bpf_prog_33c45a467c9e061a+0x8000600020fb (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fffa07ef1fc cls_bpf_classify+0x8000600020dc (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff81678b68 tc_classify+0x80007f002078 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164d40b __netif_receive_skb_core+0x80007f0025fb (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164d718 __netif_receive_skb+0x80007f002018 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164e565 process_backlog+0x80007f002095 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164dc71 net_rx_action+0x80007f002231 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff81767461 __softirqentry_text_start+0x80007f0020d1 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff817658ac do_softirq_own_stack+0x80007f00201c (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff810a2c20 do_softirq+0x80007f002050 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff810a2cb5 __local_bh_enable_ip+0x80007f002085 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8168d452 ip_finish_output2+0x80007f002152 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8168ea3d ip_finish_output+0x80007f00217d (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8168f2af ip_output+0x80007f00203f (/lib/modules/4.9.0-rc8+/build/vmlinux)
[...]
7fff81005854 do_syscall_64+0x80007f002054 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff817649eb return_from_SYSCALL_64+0x80007f002000 (/lib/modules/4.9.0-rc8+/build/vmlinux)
f5d80 __sendmsg_nocancel+0xffff01c484812007 (/usr/lib64/libc-2.18.so)
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-17 05:24:50 +08:00
|
|
|
Values :
|
2019-04-19 05:35:54 +08:00
|
|
|
|
|
|
|
- 0 - disable JIT kallsyms export (default value)
|
|
|
|
- 1 - enable JIT kallsyms export for privileged users only
|
bpf: make jited programs visible in traces
Long standing issue with JITed programs is that stack traces from
function tracing check whether a given address is kernel code
through {__,}kernel_text_address(), which checks for code in core
kernel, modules and dynamically allocated ftrace trampolines. But
what is still missing is BPF JITed programs (interpreted programs
are not an issue as __bpf_prog_run() will be attributed to them),
thus when a stack trace is triggered, the code walking the stack
won't see any of the JITed ones. The same for address correlation
done from user space via reading /proc/kallsyms. This is read by
tools like perf, but the latter is also useful for permanent live
tracing with eBPF itself in combination with stack maps when other
eBPF types are part of the callchain. See offwaketime example on
dumping stack from a map.
This work tries to tackle that issue by making the addresses and
symbols known to the kernel. The lookup from *kernel_text_address()
is implemented through a latched RB tree that can be read under
RCU in fast-path that is also shared for symbol/size/offset lookup
for a specific given address in kallsyms. The slow-path iteration
through all symbols in the seq file done via RCU list, which holds
a tiny fraction of all exported ksyms, usually below 0.1 percent.
Function symbols are exported as bpf_prog_<tag>, in order to aide
debugging and attribution. This facility is currently enabled for
root-only when bpf_jit_kallsyms is set to 1, and disabled if hardening
is active in any mode. The rationale behind this is that still a lot
of systems ship with world read permissions on kallsyms thus addresses
should not get suddenly exposed for them. If that situation gets
much better in future, we always have the option to change the
default on this. Likewise, unprivileged programs are not allowed
to add entries there either, but that is less of a concern as most
such programs types relevant in this context are for root-only anyway.
If enabled, call graphs and stack traces will then show a correct
attribution; one example is illustrated below, where the trace is
now visible in tooling such as perf script --kallsyms=/proc/kallsyms
and friends.
Before:
7fff8166889d bpf_clone_redirect+0x80007f0020ed (/lib/modules/4.9.0-rc8+/build/vmlinux)
f5d80 __sendmsg_nocancel+0xffff006451f1a007 (/usr/lib64/libc-2.18.so)
After:
7fff816688b7 bpf_clone_redirect+0x80007f002107 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fffa0575728 bpf_prog_33c45a467c9e061a+0x8000600020fb (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fffa07ef1fc cls_bpf_classify+0x8000600020dc (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff81678b68 tc_classify+0x80007f002078 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164d40b __netif_receive_skb_core+0x80007f0025fb (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164d718 __netif_receive_skb+0x80007f002018 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164e565 process_backlog+0x80007f002095 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8164dc71 net_rx_action+0x80007f002231 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff81767461 __softirqentry_text_start+0x80007f0020d1 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff817658ac do_softirq_own_stack+0x80007f00201c (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff810a2c20 do_softirq+0x80007f002050 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff810a2cb5 __local_bh_enable_ip+0x80007f002085 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8168d452 ip_finish_output2+0x80007f002152 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8168ea3d ip_finish_output+0x80007f00217d (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff8168f2af ip_output+0x80007f00203f (/lib/modules/4.9.0-rc8+/build/vmlinux)
[...]
7fff81005854 do_syscall_64+0x80007f002054 (/lib/modules/4.9.0-rc8+/build/vmlinux)
7fff817649eb return_from_SYSCALL_64+0x80007f002000 (/lib/modules/4.9.0-rc8+/build/vmlinux)
f5d80 __sendmsg_nocancel+0xffff01c484812007 (/usr/lib64/libc-2.18.so)
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-17 05:24:50 +08:00
|
|
|
|
2018-10-23 07:11:04 +08:00
|
|
|
bpf_jit_limit
|
|
|
|
-------------
|
|
|
|
|
|
|
|
This enforces a global limit for memory allocations to the BPF JIT
|
|
|
|
compiler in order to reject unprivileged JIT requests once it has
|
|
|
|
been surpassed. bpf_jit_limit contains the value of the global limit
|
|
|
|
in bytes.
|
|
|
|
|
2012-04-27 00:52:52 +08:00
|
|
|
dev_weight
|
2019-04-19 05:35:54 +08:00
|
|
|
----------
|
2012-04-27 00:52:52 +08:00
|
|
|
|
|
|
|
The maximum number of packets that kernel can handle on a NAPI interrupt,
|
2017-12-20 05:12:56 +08:00
|
|
|
it's a Per-CPU variable. For drivers that support LRO or GRO_HW, a hardware
|
|
|
|
aggregated packet is counted as one packet in this context.
|
|
|
|
|
2012-04-27 00:52:52 +08:00
|
|
|
Default: 64
|
|
|
|
|
2016-12-30 04:37:21 +08:00
|
|
|
dev_weight_rx_bias
|
2019-04-19 05:35:54 +08:00
|
|
|
------------------
|
2016-12-30 04:37:21 +08:00
|
|
|
|
|
|
|
RPS (e.g. RFS, aRFS) processing is competing with the registered NAPI poll function
|
|
|
|
of the driver for the per softirq cycle netdev_budget. This parameter influences
|
|
|
|
the proportion of the configured netdev_budget that is spent on RPS based packet
|
|
|
|
processing during RX softirq cycles. It is further meant for making current
|
|
|
|
dev_weight adaptable for asymmetric CPU needs on RX/TX side of the network stack.
|
|
|
|
(see dev_weight_tx_bias) It is effective on a per CPU basis. Determination is based
|
|
|
|
on dev_weight and is calculated multiplicative (dev_weight * dev_weight_rx_bias).
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2016-12-30 04:37:21 +08:00
|
|
|
Default: 1
|
|
|
|
|
|
|
|
dev_weight_tx_bias
|
2019-04-19 05:35:54 +08:00
|
|
|
------------------
|
2016-12-30 04:37:21 +08:00
|
|
|
|
|
|
|
Scales the maximum number of packets that can be processed during a TX softirq cycle.
|
|
|
|
Effective on a per CPU basis. Allows scaling of current dev_weight for asymmetric
|
|
|
|
net stack processing needs. Be careful to avoid making TX softirq processing a CPU hog.
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2016-12-30 04:37:21 +08:00
|
|
|
Calculation is based on dev_weight (dev_weight * dev_weight_tx_bias).
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2016-12-30 04:37:21 +08:00
|
|
|
Default: 1
|
|
|
|
|
2013-08-28 07:19:08 +08:00
|
|
|
default_qdisc
|
2019-04-19 05:35:54 +08:00
|
|
|
-------------
|
2013-08-28 07:19:08 +08:00
|
|
|
|
|
|
|
The default queuing discipline to use for network devices. This allows
|
2015-09-15 16:33:07 +08:00
|
|
|
overriding the default of pfifo_fast with an alternative. Since the default
|
|
|
|
queuing discipline is created without additional parameters so is best suited
|
|
|
|
to queuing disciplines that work well without configuration like stochastic
|
|
|
|
fair queue (sfq), CoDel (codel) or fair queue CoDel (fq_codel). Don't use
|
|
|
|
queuing disciplines like Hierarchical Token Bucket or Deficit Round Robin
|
|
|
|
which require setting up classes and bandwidths. Note that physical multiqueue
|
|
|
|
interfaces still use mq as root qdisc, which in turn uses this default for its
|
|
|
|
leaves. Virtual devices (like e.g. lo or veth) ignore this setting and instead
|
|
|
|
default to noqueue.
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2013-08-28 07:19:08 +08:00
|
|
|
Default: pfifo_fast
|
|
|
|
|
2013-07-10 22:13:36 +08:00
|
|
|
busy_read
|
2019-04-19 05:35:54 +08:00
|
|
|
---------
|
|
|
|
|
2013-08-01 11:10:25 +08:00
|
|
|
Low latency busy poll timeout for socket reads. (needs CONFIG_NET_RX_BUSY_POLL)
|
2013-07-08 21:20:34 +08:00
|
|
|
Approximate time in us to busy loop waiting for packets on the device queue.
|
2013-07-10 22:13:36 +08:00
|
|
|
This sets the default value of the SO_BUSY_POLL socket option.
|
|
|
|
Can be set or overridden per socket by setting socket option SO_BUSY_POLL,
|
|
|
|
which is the preferred method of enabling. If you need to enable the feature
|
|
|
|
globally via sysctl, a value of 50 is recommended.
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2013-07-08 21:20:34 +08:00
|
|
|
Will increase power usage.
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2013-06-10 16:39:50 +08:00
|
|
|
Default: 0 (off)
|
|
|
|
|
2013-07-10 22:13:36 +08:00
|
|
|
busy_poll
|
2013-06-24 15:28:03 +08:00
|
|
|
----------------
|
2013-08-01 11:10:25 +08:00
|
|
|
Low latency busy poll timeout for poll and select. (needs CONFIG_NET_RX_BUSY_POLL)
|
2013-07-08 21:20:34 +08:00
|
|
|
Approximate time in us to busy loop waiting for events.
|
2013-06-24 15:28:03 +08:00
|
|
|
Recommended value depends on the number of sockets you poll on.
|
|
|
|
For several sockets 50, for several hundreds 100.
|
|
|
|
For more than that you probably want to use epoll.
|
2013-07-10 22:13:36 +08:00
|
|
|
Note that only sockets with SO_BUSY_POLL set will be busy polled,
|
|
|
|
so you want to either selectively set SO_BUSY_POLL on those sockets or set
|
|
|
|
sysctl.net.busy_read globally.
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2013-07-08 21:20:34 +08:00
|
|
|
Will increase power usage.
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2013-06-24 15:28:03 +08:00
|
|
|
Default: 0 (off)
|
|
|
|
|
2009-04-03 07:57:20 +08:00
|
|
|
rmem_default
|
|
|
|
------------
|
|
|
|
|
|
|
|
The default setting of the socket receive buffer in bytes.
|
|
|
|
|
|
|
|
rmem_max
|
|
|
|
--------
|
|
|
|
|
|
|
|
The maximum receive socket buffer size in bytes.
|
|
|
|
|
2015-01-31 02:29:32 +08:00
|
|
|
tstamp_allow_data
|
|
|
|
-----------------
|
|
|
|
Allow processes to receive tx timestamps looped together with the original
|
|
|
|
packet contents. If disabled, transmit timestamp requests from unprivileged
|
|
|
|
processes are dropped unless socket option SOF_TIMESTAMPING_OPT_TSONLY is set.
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2015-01-31 02:29:32 +08:00
|
|
|
Default: 1 (on)
|
|
|
|
|
|
|
|
|
2009-04-03 07:57:20 +08:00
|
|
|
wmem_default
|
|
|
|
------------
|
|
|
|
|
|
|
|
The default setting (in bytes) of the socket send buffer.
|
|
|
|
|
|
|
|
wmem_max
|
|
|
|
--------
|
|
|
|
|
|
|
|
The maximum send socket buffer size in bytes.
|
|
|
|
|
|
|
|
message_burst and message_cost
|
|
|
|
------------------------------
|
|
|
|
|
|
|
|
These parameters are used to limit the warning messages written to the kernel
|
|
|
|
log from the networking code. They enforce a rate limit to make a
|
|
|
|
denial-of-service attack impossible. A higher message_cost factor, results in
|
|
|
|
fewer messages that will be written. Message_burst controls when messages will
|
|
|
|
be dropped. The default settings limit warning messages to one every five
|
|
|
|
seconds.
|
|
|
|
|
|
|
|
warnings
|
|
|
|
--------
|
|
|
|
|
2014-11-12 02:59:17 +08:00
|
|
|
This sysctl is now unused.
|
|
|
|
|
|
|
|
This was used to control console messages from the networking stack that
|
|
|
|
occur because of problems on the network like duplicate address or bad
|
|
|
|
checksums.
|
|
|
|
|
|
|
|
These messages are now emitted at KERN_DEBUG and can generally be enabled
|
|
|
|
and controlled by the dynamic_debug facility.
|
2009-04-03 07:57:20 +08:00
|
|
|
|
|
|
|
netdev_budget
|
|
|
|
-------------
|
|
|
|
|
|
|
|
Maximum number of packets taken from all interfaces in one polling cycle (NAPI
|
|
|
|
poll). In one polling cycle interfaces which are registered to polling are
|
2017-04-20 00:37:10 +08:00
|
|
|
probed in a round-robin manner. Also, a polling cycle may not exceed
|
|
|
|
netdev_budget_usecs microseconds, even if netdev_budget has not been
|
|
|
|
exhausted.
|
|
|
|
|
|
|
|
netdev_budget_usecs
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
Maximum number of microseconds in one NAPI polling cycle. Polling
|
|
|
|
will exit when either netdev_budget_usecs have elapsed during the
|
|
|
|
poll cycle or the number of packets processed reaches netdev_budget.
|
2009-04-03 07:57:20 +08:00
|
|
|
|
|
|
|
netdev_max_backlog
|
|
|
|
------------------
|
|
|
|
|
|
|
|
Maximum number of packets, queued on the INPUT side, when the interface
|
|
|
|
receives packets faster than kernel can process them.
|
|
|
|
|
2014-11-16 22:23:05 +08:00
|
|
|
netdev_rss_key
|
|
|
|
--------------
|
|
|
|
|
|
|
|
RSS (Receive Side Scaling) enabled drivers use a 40 bytes host key that is
|
|
|
|
randomly generated.
|
|
|
|
Some user space might need to gather its content even if drivers do not
|
|
|
|
provide ethtool -x support yet.
|
|
|
|
|
2019-04-19 05:35:54 +08:00
|
|
|
::
|
|
|
|
|
|
|
|
myhost:~# cat /proc/sys/net/core/netdev_rss_key
|
|
|
|
84:50:f4:00:a8:15:d1:a7:e9:7f:1d:60:35:c7:47:25:42:97:74:ca:56:bb:b6:a1:d8: ... (52 bytes total)
|
2014-11-16 22:23:05 +08:00
|
|
|
|
|
|
|
File contains nul bytes if no driver ever called netdev_rss_key_fill() function.
|
2019-04-19 05:35:54 +08:00
|
|
|
|
2014-11-16 22:23:05 +08:00
|
|
|
Note:
|
2019-04-19 05:35:54 +08:00
|
|
|
/proc/sys/net/core/netdev_rss_key contains 52 bytes of key,
|
|
|
|
but most drivers only use 40 bytes of it.
|
|
|
|
|
|
|
|
::
|
2014-11-16 22:23:05 +08:00
|
|
|
|
2019-04-19 05:35:54 +08:00
|
|
|
myhost:~# ethtool -x eth0
|
|
|
|
RX flow hash indirection table for eth0 with 8 RX ring(s):
|
|
|
|
0: 0 1 2 3 4 5 6 7
|
|
|
|
RSS hash key:
|
|
|
|
84:50:f4:00:a8:15:d1:a7:e9:7f:1d:60:35:c7:47:25:42:97:74:ca:56:bb:b6:a1:d8:43:e3:c9:0c:fd:17:55:c2:3a:4d:69:ed:f1:42:89
|
2020-10-27 17:51:08 +08:00
|
|
|
|
net: Consistent skb timestamping
With RPS inclusion, skb timestamping is not consistent in RX path.
If netif_receive_skb() is used, its deferred after RPS dispatch.
If netif_rx() is used, its done before RPS dispatch.
This can give strange tcpdump timestamps results.
I think timestamping should be done as soon as possible in the receive
path, to get meaningful values (ie timestamps taken at the time packet
was delivered by NIC driver to our stack), even if NAPI already can
defer timestamping a bit (RPS can help to reduce the gap)
Tom Herbert prefer to sample timestamps after RPS dispatch. In case
sampling is expensive (HPET/acpi_pm on x86), this makes sense.
Let admins switch from one mode to another, using a new
sysctl, /proc/sys/net/core/netdev_tstamp_prequeue
Its default value (1), means timestamps are taken as soon as possible,
before backlog queueing, giving accurate timestamps.
Setting a 0 value permits to sample timestamps when processing backlog,
after RPS dispatch, to lower the load of the pre-RPS cpu.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-05-16 14:57:10 +08:00
|
|
|
netdev_tstamp_prequeue
|
|
|
|
----------------------
|
|
|
|
|
|
|
|
If set to 0, RX packet timestamps can be sampled after RPS processing, when
|
|
|
|
the target CPU processes packets. It might give some delay on timestamps, but
|
|
|
|
permit to distribute the load on several cpus.
|
|
|
|
|
|
|
|
If set to 1 (default), timestamps are sampled as soon as possible, before
|
|
|
|
queueing.
|
|
|
|
|
2021-03-23 14:49:23 +08:00
|
|
|
netdev_unregister_timeout_secs
|
|
|
|
------------------------------
|
|
|
|
|
|
|
|
Unregister network device timeout in seconds.
|
|
|
|
This option controls the timeout (in seconds) used to issue a warning while
|
|
|
|
waiting for a network device refcount to drop to 0 during device
|
|
|
|
unregistration. A lower value may be useful during bisection to detect
|
|
|
|
a leaked reference faster. A larger value may be useful to prevent false
|
|
|
|
warnings on slow/loaded systems.
|
2021-03-25 22:52:45 +08:00
|
|
|
Default value is 10, minimum 1, maximum 3600.
|
2021-03-23 14:49:23 +08:00
|
|
|
|
2009-04-03 07:57:20 +08:00
|
|
|
optmem_max
|
|
|
|
----------
|
|
|
|
|
|
|
|
Maximum ancillary buffer size allowed per socket. Ancillary data is a sequence
|
|
|
|
of struct cmsghdr structures with appended data.
|
|
|
|
|
net: do not create fallback tunnels for non-default namespaces
fallback tunnels (like tunl0, gre0, gretap0, erspan0, sit0,
ip6tnl0, ip6gre0) are automatically created when the corresponding
module is loaded.
These tunnels are also automatically created when a new network
namespace is created, at a great cost.
In many cases, netns are used for isolation purposes, and these
extra network devices are a waste of resources. We are using
thousands of netns per host, and hit the netns creation/delete
bottleneck a lot. (Many thanks to Kirill for recent work on this)
Add a new sysctl so that we can opt-out from this automatic creation.
Note that these tunnels are still created for the initial namespace,
to be the least intrusive for typical setups.
Tested:
lpk43:~# cat add_del_unshare.sh
for i in `seq 1 40`
do
(for j in `seq 1 100` ; do unshare -n /bin/true >/dev/null ; done) &
done
wait
lpk43:~# echo 0 >/proc/sys/net/core/fb_tunnels_only_for_init_net
lpk43:~# time ./add_del_unshare.sh
real 0m37.521s
user 0m0.886s
sys 7m7.084s
lpk43:~# echo 1 >/proc/sys/net/core/fb_tunnels_only_for_init_net
lpk43:~# time ./add_del_unshare.sh
real 0m4.761s
user 0m0.851s
sys 1m8.343s
lpk43:~#
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-09 04:51:41 +08:00
|
|
|
fb_tunnels_only_for_init_net
|
|
|
|
----------------------------
|
|
|
|
|
|
|
|
Controls if fallback tunnels (like tunl0, gre0, gretap0, erspan0,
|
2020-08-27 00:05:35 +08:00
|
|
|
sit0, ip6tnl0, ip6gre0) are automatically created. There are 3 possibilities
|
|
|
|
(a) value = 0; respective fallback tunnels are created when module is
|
|
|
|
loaded in every net namespaces (backward compatible behavior).
|
|
|
|
(b) value = 1; [kcmd value: initns] respective fallback tunnels are
|
|
|
|
created only in init net namespace and every other net namespace will
|
|
|
|
not have them.
|
|
|
|
(c) value = 2; [kcmd value: none] fallback tunnels are not created
|
|
|
|
when a module is loaded in any of the net namespace. Setting value to
|
|
|
|
"2" is pointless after boot if these modules are built-in, so there is
|
|
|
|
a kernel command-line option that can change this default. Please refer to
|
|
|
|
Documentation/admin-guide/kernel-parameters.txt for additional details.
|
|
|
|
|
|
|
|
Not creating fallback tunnels gives control to userspace to create
|
|
|
|
whatever is needed only and avoid creating devices which are redundant.
|
net: do not create fallback tunnels for non-default namespaces
fallback tunnels (like tunl0, gre0, gretap0, erspan0, sit0,
ip6tnl0, ip6gre0) are automatically created when the corresponding
module is loaded.
These tunnels are also automatically created when a new network
namespace is created, at a great cost.
In many cases, netns are used for isolation purposes, and these
extra network devices are a waste of resources. We are using
thousands of netns per host, and hit the netns creation/delete
bottleneck a lot. (Many thanks to Kirill for recent work on this)
Add a new sysctl so that we can opt-out from this automatic creation.
Note that these tunnels are still created for the initial namespace,
to be the least intrusive for typical setups.
Tested:
lpk43:~# cat add_del_unshare.sh
for i in `seq 1 40`
do
(for j in `seq 1 100` ; do unshare -n /bin/true >/dev/null ; done) &
done
wait
lpk43:~# echo 0 >/proc/sys/net/core/fb_tunnels_only_for_init_net
lpk43:~# time ./add_del_unshare.sh
real 0m37.521s
user 0m0.886s
sys 7m7.084s
lpk43:~# echo 1 >/proc/sys/net/core/fb_tunnels_only_for_init_net
lpk43:~# time ./add_del_unshare.sh
real 0m4.761s
user 0m0.851s
sys 1m8.343s
lpk43:~#
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-09 04:51:41 +08:00
|
|
|
|
|
|
|
Default : 0 (for compatibility reasons)
|
|
|
|
|
2019-01-18 15:27:11 +08:00
|
|
|
devconf_inherit_init_net
|
2019-04-19 05:35:54 +08:00
|
|
|
------------------------
|
2019-01-18 15:27:11 +08:00
|
|
|
|
|
|
|
Controls if a new network namespace should inherit all current
|
|
|
|
settings under /proc/sys/net/{ipv4,ipv6}/conf/{all,default}/. By
|
|
|
|
default, we keep the current behavior: for IPv4 we inherit all current
|
|
|
|
settings from init_net and for IPv6 we reset all settings to default.
|
|
|
|
|
|
|
|
If set to 1, both IPv4 and IPv6 settings are forced to inherit from
|
|
|
|
current ones in init_net. If set to 2, both IPv4 and IPv6 settings are
|
2020-05-13 21:58:43 +08:00
|
|
|
forced to reset to their default values. If set to 3, both IPv4 and IPv6
|
|
|
|
settings are forced to inherit from current ones in the netns where this
|
|
|
|
new netns has been created.
|
2019-01-18 15:27:11 +08:00
|
|
|
|
|
|
|
Default : 0 (for compatibility reasons)
|
|
|
|
|
2009-04-03 07:57:20 +08:00
|
|
|
2. /proc/sys/net/unix - Parameters for Unix domain sockets
|
2019-04-19 05:35:54 +08:00
|
|
|
----------------------------------------------------------
|
2009-04-03 07:57:20 +08:00
|
|
|
|
2009-04-03 07:57:21 +08:00
|
|
|
There is only one file in this directory.
|
|
|
|
unix_dgram_qlen limits the max number of datagrams queued in Unix domain
|
2009-04-14 05:39:36 +08:00
|
|
|
socket's buffer. It will not take effect unless PF_UNIX flag is specified.
|
2009-04-03 07:57:20 +08:00
|
|
|
|
|
|
|
|
|
|
|
3. /proc/sys/net/ipv4 - IPV4 settings
|
2019-04-19 05:35:54 +08:00
|
|
|
-------------------------------------
|
2020-04-28 06:01:52 +08:00
|
|
|
Please see: Documentation/networking/ip-sysctl.rst and
|
|
|
|
Documentation/admin-guide/sysctl/net.rst for descriptions of these entries.
|
2009-04-03 07:57:20 +08:00
|
|
|
|
|
|
|
|
|
|
|
4. Appletalk
|
2019-04-19 05:35:54 +08:00
|
|
|
------------
|
2009-04-03 07:57:20 +08:00
|
|
|
|
|
|
|
The /proc/sys/net/appletalk directory holds the Appletalk configuration data
|
|
|
|
when Appletalk is loaded. The configurable parameters are:
|
|
|
|
|
|
|
|
aarp-expiry-time
|
|
|
|
----------------
|
|
|
|
|
|
|
|
The amount of time we keep an ARP entry before expiring it. Used to age out
|
|
|
|
old hosts.
|
|
|
|
|
|
|
|
aarp-resolve-time
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
The amount of time we will spend trying to resolve an Appletalk address.
|
|
|
|
|
|
|
|
aarp-retransmit-limit
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
The number of times we will retransmit a query before giving up.
|
|
|
|
|
|
|
|
aarp-tick-time
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Controls the rate at which expires are checked.
|
|
|
|
|
|
|
|
The directory /proc/net/appletalk holds the list of active Appletalk sockets
|
|
|
|
on a machine.
|
|
|
|
|
|
|
|
The fields indicate the DDP type, the local address (in network:node format)
|
|
|
|
the remote address, the size of the transmit pending queue, the size of the
|
|
|
|
received queue (bytes waiting for applications to read) the state and the uid
|
|
|
|
owning the socket.
|
|
|
|
|
|
|
|
/proc/net/atalk_iface lists all the interfaces configured for appletalk.It
|
|
|
|
shows the name of the interface, its Appletalk address, the network range on
|
|
|
|
that address (or network number for phase 1 networks), and the status of the
|
|
|
|
interface.
|
|
|
|
|
|
|
|
/proc/net/atalk_route lists each known network route. It lists the target
|
|
|
|
(network) that the route leads to, the router (may be directly connected), the
|
|
|
|
route flags, and the device the route is using.
|
|
|
|
|
2019-08-06 06:30:02 +08:00
|
|
|
5. TIPC
|
2019-04-19 05:35:54 +08:00
|
|
|
-------
|
2013-06-17 22:54:37 +08:00
|
|
|
|
tipc: add name distributor resiliency queue
TIPC name table updates are distributed asynchronously in a cluster,
entailing a risk of certain race conditions. E.g., if two nodes
simultaneously issue conflicting (overlapping) publications, this may
not be detected until both publications have reached a third node, in
which case one of the publications will be silently dropped on that
node. Hence, we end up with an inconsistent name table.
In most cases this conflict is just a temporary race, e.g., one
node is issuing a publication under the assumption that a previous,
conflicting, publication has already been withdrawn by the other node.
However, because of the (rtt related) distributed update delay, this
may not yet hold true on all nodes. The symptom of this failure is a
syslog message: "tipc: Cannot publish {%u,%u,%u}, overlap error".
In this commit we add a resiliency queue at the receiving end of
the name table distributor. When insertion of an arriving publication
fails, we retain it in this queue for a short amount of time, assuming
that another update will arrive very soon and clear the conflict. If so
happens, we insert the publication, otherwise we drop it.
The (configurable) retention value defaults to 2000 ms. Knowing from
experience that the situation described above is extremely rare, there
is no risk that the queue will accumulate any large number of items.
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-08-28 15:08:47 +08:00
|
|
|
tipc_rmem
|
2019-04-19 05:35:54 +08:00
|
|
|
---------
|
tipc: add name distributor resiliency queue
TIPC name table updates are distributed asynchronously in a cluster,
entailing a risk of certain race conditions. E.g., if two nodes
simultaneously issue conflicting (overlapping) publications, this may
not be detected until both publications have reached a third node, in
which case one of the publications will be silently dropped on that
node. Hence, we end up with an inconsistent name table.
In most cases this conflict is just a temporary race, e.g., one
node is issuing a publication under the assumption that a previous,
conflicting, publication has already been withdrawn by the other node.
However, because of the (rtt related) distributed update delay, this
may not yet hold true on all nodes. The symptom of this failure is a
syslog message: "tipc: Cannot publish {%u,%u,%u}, overlap error".
In this commit we add a resiliency queue at the receiving end of
the name table distributor. When insertion of an arriving publication
fails, we retain it in this queue for a short amount of time, assuming
that another update will arrive very soon and clear the conflict. If so
happens, we insert the publication, otherwise we drop it.
The (configurable) retention value defaults to 2000 ms. Knowing from
experience that the situation described above is extremely rare, there
is no risk that the queue will accumulate any large number of items.
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-08-28 15:08:47 +08:00
|
|
|
|
2013-06-17 22:54:37 +08:00
|
|
|
The TIPC protocol now has a tunable for the receive memory, similar to the
|
|
|
|
tcp_rmem - i.e. a vector of 3 INTEGERs: (min, default, max)
|
|
|
|
|
2019-04-19 05:35:54 +08:00
|
|
|
::
|
|
|
|
|
2013-06-17 22:54:37 +08:00
|
|
|
# cat /proc/sys/net/tipc/tipc_rmem
|
|
|
|
4252725 34021800 68043600
|
|
|
|
#
|
|
|
|
|
|
|
|
The max value is set to CONN_OVERLOAD_LIMIT, and the default and min values
|
|
|
|
are scaled (shifted) versions of that same value. Note that the min value
|
|
|
|
is not at this point in time used in any meaningful way, but the triplet is
|
|
|
|
preserved in order to be consistent with things like tcp_rmem.
|
tipc: add name distributor resiliency queue
TIPC name table updates are distributed asynchronously in a cluster,
entailing a risk of certain race conditions. E.g., if two nodes
simultaneously issue conflicting (overlapping) publications, this may
not be detected until both publications have reached a third node, in
which case one of the publications will be silently dropped on that
node. Hence, we end up with an inconsistent name table.
In most cases this conflict is just a temporary race, e.g., one
node is issuing a publication under the assumption that a previous,
conflicting, publication has already been withdrawn by the other node.
However, because of the (rtt related) distributed update delay, this
may not yet hold true on all nodes. The symptom of this failure is a
syslog message: "tipc: Cannot publish {%u,%u,%u}, overlap error".
In this commit we add a resiliency queue at the receiving end of
the name table distributor. When insertion of an arriving publication
fails, we retain it in this queue for a short amount of time, assuming
that another update will arrive very soon and clear the conflict. If so
happens, we insert the publication, otherwise we drop it.
The (configurable) retention value defaults to 2000 ms. Knowing from
experience that the situation described above is extremely rare, there
is no risk that the queue will accumulate any large number of items.
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-08-28 15:08:47 +08:00
|
|
|
|
|
|
|
named_timeout
|
2019-04-19 05:35:54 +08:00
|
|
|
-------------
|
tipc: add name distributor resiliency queue
TIPC name table updates are distributed asynchronously in a cluster,
entailing a risk of certain race conditions. E.g., if two nodes
simultaneously issue conflicting (overlapping) publications, this may
not be detected until both publications have reached a third node, in
which case one of the publications will be silently dropped on that
node. Hence, we end up with an inconsistent name table.
In most cases this conflict is just a temporary race, e.g., one
node is issuing a publication under the assumption that a previous,
conflicting, publication has already been withdrawn by the other node.
However, because of the (rtt related) distributed update delay, this
may not yet hold true on all nodes. The symptom of this failure is a
syslog message: "tipc: Cannot publish {%u,%u,%u}, overlap error".
In this commit we add a resiliency queue at the receiving end of
the name table distributor. When insertion of an arriving publication
fails, we retain it in this queue for a short amount of time, assuming
that another update will arrive very soon and clear the conflict. If so
happens, we insert the publication, otherwise we drop it.
The (configurable) retention value defaults to 2000 ms. Knowing from
experience that the situation described above is extremely rare, there
is no risk that the queue will accumulate any large number of items.
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-08-28 15:08:47 +08:00
|
|
|
|
|
|
|
TIPC name table updates are distributed asynchronously in a cluster, without
|
|
|
|
any form of transaction handling. This means that different race scenarios are
|
|
|
|
possible. One such is that a name withdrawal sent out by one node and received
|
|
|
|
by another node may arrive after a second, overlapping name publication already
|
|
|
|
has been accepted from a third node, although the conflicting updates
|
|
|
|
originally may have been issued in the correct sequential order.
|
|
|
|
If named_timeout is nonzero, failed topology updates will be placed on a defer
|
|
|
|
queue until another event arrives that clears the error, or until the timeout
|
|
|
|
expires. Value is in milliseconds.
|