Date: Thu, 7 Jun 2018 10:13:31 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Sean Bruno <sbruno@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org, Johannes Lundberg <johalun0@gmail.com> Subject: Re: svn commit: r334719 - in head: cddl/lib/libdtrace lib/libc/sys sys/kern sys/netinet sys/netinet6 sys/sys Message-ID: <20180607141331.gaej4q6m2irqwnek@mutt-hbsd> In-Reply-To: <201806061545.w56Fjv3e076880@repo.freebsd.org> References: <201806061545.w56Fjv3e076880@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--ut6p25yqm73ezncy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 06, 2018 at 03:45:57PM +0000, Sean Bruno wrote: > Author: sbruno > Date: Wed Jun 6 15:45:57 2018 > New Revision: 334719 > URL: https://svnweb.freebsd.org/changeset/base/334719 >=20 > Log: > Load balance sockets with new SO_REUSEPORT_LB option. > =20 > This patch adds a new socket option, SO_REUSEPORT_LB, which allow multi= ple > programs or threads to bind to the same port and incoming connections w= ill be > load balanced using a hash function. > =20 > Most of the code was copied from a similar patch for DragonflyBSD. > =20 > However, in DragonflyBSD, load balancing is a global on/off setting and= can not > be set per socket. This patch allows for simultaneous use of both the c= urrent > SO_REUSEPORT and the new SO_REUSEPORT_LB options on the same system. > =20 > Required changes to structures: > Globally change so_options from 16 to 32 bit value to allow for more op= tions. > Add hashtable in pcbinfo to hold all SO_REUSEPORT_LB sockets. > =20 > Limitations: > As DragonflyBSD, a load balance group is limited to 256 pcbs (256 progr= ams or > threads sharing the same socket). > =20 > This is a substantially different contribution as compared to its origi= nal > incarnation at svn r332894 and reverted at svn r332967. Thanks to rwat= son@ > for the substantive feedback that is included in this commit. > =20 > Submitted by: Johannes Lundberg <johalun0@gmail.com> > Obtained from: DragonflyBSD > Relnotes: Yes > Sponsored by: Limelight Networks > Differential Revision: https://reviews.freebsd.org/D11003 Hey Sean, This is a rather interesting and useful feature. Thank you for committing it. It seems there are some security trade-offs being made for applications that opt-in to this feature: third-party applications, potentially malicious, could bind to the port. I wonder if we could prevent malicious abuse of this feature by introducing a random cookie. When a developer sets this option, the developer must specify a random value as a cookie. Applications who want to share the port, then, must also specify the cookie (perhaps via another socket option?). What are your thoughts? I'm CC'ing Johannes to get his thoughts as well. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --ut6p25yqm73ezncy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlsZPYcACgkQaoRlj1JF bu6aTRAAyP8aMIYYj55WmxTn/+ZPrdxMfmHMVMIUT4GLB7j2CocNJbvZV34JIzTx 5HKXHntPmHjbYlKuomDLXMaypezp0vrL1ZuryEAa24kSd/0jRJqi3LzWnmkfaPvW uBKTa3soPlBHErRBpc4ND1VAYYIQ793OZBDwTlfBUFh+xu5DXFKHPNW4+CqhpcAT Q8lgV7/yYU3XXvUI8DgwhJRq8WBtjAl6y3MJvEh4bmvs/DaVLrRU/zwGHHjef7vT Do4qUqAFrPxS6vCxqA1i8b0O/4lTZ3o94obFhqCgFiUt6UzPvGeG7/COnqUE3fnt lX/Gm+tzknLgrSF8ksMs/UrcexhXmB1m0xYWdre4Hj5DpK4A+2CZVSZw0vkWs8Tx MgGmtF1jRfDYjvfUy2tFyQOcAUPJ2oB7fGrZ0woe/EVmhsiqoN6M46kakLoCwkeR TBSauphH4nvnlYbw4a+DvnVBgtEfC+OJM1k1XsCvamdH7p3sn39T0sZA0Lo/FYD1 B9jWAxynzFdoZBqNGT9iNa4KhFAiaJekLTZplT1uDnFPt9H4z67phgpPot9yQtVQ HtKf8JNza79JrU/l1Gd5WdOLvynlew8Z5DRmmn/PWKumfKP+DzItSj25gbcApWD5 gY/tgKL3wtJ1Zjd7f18DqmtVd87li3qzBR7gv1L0GkoNZ4M0lbA= =Y5uN -----END PGP SIGNATURE----- --ut6p25yqm73ezncy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180607141331.gaej4q6m2irqwnek>