| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Jan 2015 18:08:10 -0800 From: Shrijeet Mukherjee <shm@...ulusnetworks.com> To: Hannes Frederic Sowa <hannes@...essinduktion.org>, Scott Feldman <sfeldma@...il.com> Cc: Netdev <netdev@...r.kernel.org>, Jiří Pírko <jiri@...nulli.us>, john fastabend <john.fastabend@...il.com>, Thomas Graf <tgraf@...g.ch>, Jamal Hadi Salim <jhs@...atatu.com>, Andy Gospodarek <andy@...yhouse.net>, Roopa Prabhu <roopa@...ulusnetworks.com> Subject: RE: [PATCH net-next 1/3] net: add IPv4 routing FIB support for swdev >For the first idea, I'll try to make an example: > >Initial setup: ># ip rule ls >0: from all lookup local >32766: from all lookup main >32767: from all lookup default > ># ip rule add pref 100 iif swdev0 table 5 # ip rule ls >0: from all lookup local >100: from all iif swdev0 [detached] lookup 5 >> maybe we can show which rules are being able to get offloaded here >32766: from all lookup main >32767: from all lookup default > >table 5 should be the table we can insert routes into which are offloaded >to >hardware. > >During table modifications we linearly scan the rules if we find selectors >which >cannot be represented by hardware. > >In case we have a iif selector, we simply can use this table and just >synthesize it >into the particular interface. > >A ip-rule-from would need all the hardware being capable of matching source >addresses, otherwise we cannot offload all routing tables with higher >preference, >same for a to/tos rule. If we encounter a fwmark rule, we certainly cannot >represent it in hardware, so skip it (here we can think about entangling >those with >ACLs, but it feels hard to do). > >If rules are inserted or changed we must again validate the complete list >of rules >and decide if we need to flush all the routes and install a slow path via >kernel. > >What do you think? Does that make sense? I could try to come up with an API >for >that. ;) > This sounds really good, but I suspect the real problem is the case where the rule evaluation is in the hardware path right. If it is purely IF based there is no issue .. but any other policy like missed in table 1, then use table 2 will not work with this model .. or did I miss something ? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists