| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 08 Jan 2015 14:03:59 +0100 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Shrijeet Mukherjee <shm@...ulusnetworks.com> Cc: Scott Feldman <sfeldma@...il.com>, Netdev <netdev@...r.kernel.org>, Jiří Pírko <jiri@...nulli.us>, john fastabend <john.fastabend@...il.com>, Thomas Graf <tgraf@...g.ch>, Jamal Hadi Salim <jhs@...atatu.com>, Andy Gospodarek <andy@...yhouse.net>, Roopa Prabhu <roopa@...ulusnetworks.com> Subject: Re: [PATCH net-next 1/3] net: add IPv4 routing FIB support for swdev Hi, On Mi, 2015-01-07 at 09:54 -0800, Shrijeet Mukherjee wrote: > > > >I could come up with several ways how to model hardware. Depending on that > >the integration with rules is easy or nearly impossible: > > > >1) it simply cannot deal with ip rules, so there is no way an ACL can > >influence the > >outcome of a routing table lookup - if the feature should be used, it has > >to use > >the slow-path in the kernel. > > As Scott was saying, most hardware has table id's and the ability to > identify and prioritize that way. I saw Scott only talking about Rocker - maybe I missed it? > >2) ACLs can influence which routing table will get queried - this sounds > >very much > >like the ip rule model and it seems not too hard to model that. > > This clearly can be made to work .. the problem is really the space of > policy routing (i.e jump across VRF's incase of a lookup failure) when > combined with the space of ip rule flexibility. This very much depends on the hardware, I guess. The complexity is increased by the routing offloading knowing about the ACL datastructures and vice versa. > >3) Routing implementations in the hardware have a single routing table and > >the > >leafs carry different actions with priorities: making this kind of model > >working > >with the ip rule concept will become very difficult and it might require > >lots of > >algorithmic code by every driver to adapt to a single API provided by > >Linux. It > >might be possible, if the hardware provides actions like backtrack and > >retrack and > >can keep state of priorities during walking the tree, I really doubt that. > > > In the short term .. this maybe a good way to go but with a simplication. > Some tables are offloaded and the rest at the full table level is in > software. Finally then you can put a "default route" in the hardware table > to punt to cpu and then keep the software model clever and the hardware > model fast ? Yes, the algorithm I described in my prior mail implicitly does that, we can extend it bit by bit as new hardware supports more filter features. Especially the default configuration with only the RT_TABLE_LOCAL and RT_TABLE_MAIN allows complete offloading, which should be desirable. To deal with the RT_TABLE_LOCAL, we might walk the whole routing table and verify that all routes have full prefix length (32 ipv4 or 128 ipv6). Bye, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists