| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 08 Jan 2015 17:39:54 +0800 From: Fan Du <fengyuleidian0615@...il.com> To: Jesse Gross <jesse@...ira.com> CC: "Du, Fan" <fan.du@...el.com>, Thomas Graf <tgraf@...g.ch>, "davem@...emloft.net" <davem@...emloft.net>, "Michael S. Tsirkin" <mst@...hat.com>, Jason Wang <jasowang@...hat.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "fw@...len.de" <fw@...len.de>, "dev@...nvswitch.org" <dev@...nvswitch.org>, "pshelar@...ira.com" <pshelar@...ira.com> Subject: Re: [PATCH net] gso: do GSO for local skb with size bigger than MTU 于 2015年01月08日 04:52, Jesse Gross 写道: >> My understanding is: >> >controller sets the forwarding rules into kernel datapath, any flow not >> >matching >> >with the rules are threw to controller by upcall. Once the rule decision is >> >made >> >by controller, then, this flow packet is pushed down to datapath to be >> >forwarded >> >again according to the new rule. >> > >> >So I'm not sure whether pushing the over-MTU-sized packet or pushing the >> >forged ICMP >> >without encapsulation to controller is required by current ovs >> >implementation. By doing >> >so, such over-MTU-sized packet is treated as a event for the controller to >> >be take >> >care of. > If flows are implementing routing (again, they are doing things like > decrementing the TTL) then it is necessary for them to also handle > this situation using some potentially new primitives (like a size > check). Otherwise you end up with issues like the ones that I > mentioned above like needing to forge addresses because you don't know > what the correct ones are. Thanks for explaining, Jesse! btw, I don't get it about "to forge addresses", building ICMP message with Guest packet doesn't require to forge address when not encapsulating ICMP message with outer headers. If the flows aren't doing things to > implement routing, then you really have a flat L2 network and you > shouldn't be doing this type of behavior at all as I described in the > original plan. For flows implementing routing scenario: First of all, over-MTU-sized packet could only be detected once the flow as been consulted(each port could implement a 'check' hook to do this), and just before send to the actual port. Then pushing the over-MTU-sized packet back to controller, it's the controller who will will decide whether to build ICMP message, or whatever routing behaviour it may take. And sent it back with the port information. This ICMP message will travel back to Guest. Why does the flow has to use primitive like a "check size"? "check size" will only take effect after do_output. I'm not very clear with this approach. And not all scenario involving flow with routing behaviour, just set up a vxlan tunnel, and attach KVM guest or Docker onto it for playing or developing. This wouldn't necessarily require user to set additional specific flows to make over-MTU-sized packet pass through the tunnel correctly. In such scenario, I think the original patch in this thread to fragment tunnel packet is still needed OR workout a generic component to build ICMP for all type tunnel in L2 level. Both of those will act as a backup plan as there is no such specific flow as default. If I missed something obviously, please let me know. -- No zuo no die but I have to try. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists