Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementation multi pattern regular expressions #2161

Open
wants to merge 26 commits into
base: master
Choose a base branch
from
Open

Implementation multi pattern regular expressions #2161

wants to merge 26 commits into from
+66,966 −2,123

Conversation

biathlon3
Copy link
Contributor

No description provided.

kingluo added 20 commits May 25, 2024 17:29
@kingluo
feat(1808): migrate to Linux 6.8.9
21e7fff 
close #1808
@kingluo
apply stats fix in advanced
8e0e942
@kingluo
remove duplicated sk->sk_cgrp_data.cgroup init
dc6d26d
@kingluo
disable AVX2 temporarily before fpu works
bca16f5
@kingluo
bignum_x86-64.S: replace ret with RET, to use __x86_return_thunk
1040a54 
#1808 (comment)
@kingluo
re-enable AVX2, replace ret with RET
95d8481
@kingluo
disable AVX2 for memcpy/memcmp/bzero temporarily to avoid userspace s…
86e3043 
…egfault
@kingluo
disable skb->head_frag assertion temporarily to avoid panic
e6256ea
@kingluo
fix TfwGState->curr type: ensure correct frang index
7c10e6a
@kingluo
filter out SO_EE_ORIGIN_TIMESTAMPING in sk->sk_error_queue
3d5730e
@kingluo
enable fpu in the whole softirq ctx
89d2f30
@kingluo
continue sk->sk_receive_queue processing in case of SO_EE_ORIGIN_TIME…
2e4a18d 
…STAMPING
@kingluo
fix assembly functions: RET and endbr64-jump-table
f8b1e53 
Problems:

1. In the new kernel, assembly functions uniformly return from
   `__x86_return_thunk`. However, our assembly code uses the original
   `ret` instruction, so objtool in the kernel will notice this is a naked
   return during compilation.

2. `SYM_FUNC_START` in the new kernel will add endbr64 to the head of
   the assembly function, and all indirect jumps to ENDBR instructions,
   that is, the code snippet within the same function, will fail, but we
   use jump tables in the assembly function to perform indirect jumps. It
   will raise CET exception:
   https://en.wikipedia.org/wiki/X86_instruction_listings#Added_with_Intel_CET).

Solutions:

1. Substitute the `ret` with `RET`, a macro in the new kernel to
   ensure the correct return.

2. `notrack jmp` and enable notrack in CPU setting:
   `wrmsrl(MSR_IA32_S_CET, CET_ENDBR_EN | CET_NO_TRACK_EN)`

As an aside, interestingly, if a user-mode C program uses a switch
statement that meets the conditions for generating a jump table (gcc
uses `-fcf-protection=full` by default), the generated jump table will
use a `jmp` with the `notrack` prefix, and IBT will be marked as `true`
in the `.note.gnu.property` section of the compiled elf file, so that
the `NO_TRACK_EN` of the `MSR` will be set to `true` in user mode when
the kernel is loaded. So user mode can use `notrack` to bypass CET
without caring about setting or not setting `NO_TRACK_EN`.
@kingluo
Merge remote-tracking branch 'origin/master' into jinhua/feat-1808-mi…
356c594 
…grate-to-linux-6.8.9
@kingluo
clean up temporary changes
8afb1d6
@kingluo
add linux-6.8.9.patch
e95951a
@kingluo
patch update: change for_each_possible_cpu to for_each_online_cpu
99bb027
@kingluo
handle SKBFL_SHARED_FRAG in flags, not tx_flags
c1c068b
@kingluo
merge master branch: 0dee025
96628ac
@kingluo
update linux-6.8.9.patch
f8de856
@biathlon3 biathlon3 linked an issue Jul 5, 2024 that may be closed by this pull request
Multi-pattern regular expressions #496
Open
@biathlon3 biathlon3 marked this pull request as draft July 5, 2024 14:08
@biathlon3
Copy link
Contributor Author

For deployment see file install.txt. Description will be expanded.

@biathlon3
Copy link
Contributor Author

This PR works on Kernel 6.8.9

Description of using hscollider - http://intel.github.io/hyperscan/dev-reference/tools.html

Description of regular expression syntax - https://perldoc.perl.org/perlre
It is supported in Hyperscan not fully, constraints described here - http://intel.github.io/hyperscan/dev-reference/compilation.html

Now regex implemented in tempasta config as fallows:
for locations, added keyword "regex" and regex started with "^";
for httptables, regex started with "^".

for example:

location regex "^/new/" {
    frang_limits {
	http_body_len 5;
	http_strict_host_checking true;
    }
}

http_chain {
  uri == "^/html/" -> default;
  -> default;
}

@biathlon3 biathlon3 force-pushed the ag_Multi-pattern-regular-expressions branch from 9082e54 to 5c02ff5 Compare July 8, 2024 06:04
@biathlon3 biathlon3 force-pushed the ag_Multi-pattern-regular-expressions branch from 5c02ff5 to 8c64bfa Compare July 8, 2024 17:09
@biathlon3 biathlon3 mentioned this pull request Jul 12, 2024
Open
@biathlon3 biathlon3 force-pushed the ag_Multi-pattern-regular-expressions branch 2 times, most recently from 4f4608e to d932ab5 Compare July 25, 2024 11:13
@biathlon3 biathlon3 marked this pull request as ready for review July 26, 2024 13:24
@biathlon3
Copy link
Contributor Author

I squashed it into one commit so it can be reviewed.

@biathlon3 biathlon3 force-pushed the ag_Multi-pattern-regular-expressions branch from d932ab5 to 5f2b864 Compare July 29, 2024 16:35
@biathlon3
Implemented regex for locations and httptables
09f70b3 
Made regex configuration same way as in Nginx.
@biathlon3 biathlon3 force-pushed the ag_Multi-pattern-regular-expressions branch from 5f2b864 to 09f70b3 Compare July 29, 2024 18:23
@biathlon3 biathlon3 mentioned this pull request Aug 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@const-t const-t Awaiting requested review from const-t

@EvgeniiMekhanik EvgeniiMekhanik Awaiting requested review from EvgeniiMekhanik

@krizhanovsky krizhanovsky Awaiting requested review from krizhanovsky

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Multi-pattern regular expressions
2 participants
@biathlon3 @kingluo