lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 11 Mar 2015 10:34:00 -0700
From:	Cong Wang <cwang@...pensource.com>
To:	netdev <netdev@...r.kernel.org>
Cc:	Jamal Hadi Salim <jhs@...atatu.com>,
	David Miller <davem@...emloft.net>
Subject: Why do we prefer skb->priority to tc filters?

Hi,


Not sure about classful Qdisc's, for classless ones like fq_codel, we
also prefer skb->priority value over tc filters:

        if (TC_H_MAJ(skb->priority) == sch->handle &&
            TC_H_MIN(skb->priority) > 0 &&
            TC_H_MIN(skb->priority) <= q->flows_cnt)
                return TC_H_MIN(skb->priority);

        filter = rcu_dereference_bh(q->filter_list);
        if (!filter)
                return fq_codel_hash(q, skb) + 1;

        *qerr = NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
        result = tc_classify(skb, filter, &res);

Given that skb->priority can be specified in user-space, doesn't this
mean some application can always override our rules specified by tc
filters? I think we should always respect tc filters over any
application setting.

For discussion, I mean something like below makes more sense for me:

        struct tcf_result res;
        int result;

-       if (TC_H_MAJ(skb->priority) == sch->handle &&
-           TC_H_MIN(skb->priority) > 0 &&
-           TC_H_MIN(skb->priority) <= q->flows_cnt)
-               return TC_H_MIN(skb->priority);
-
        filter = rcu_dereference_bh(q->filter_list);
-       if (!filter)
+       if (!filter) {
+               if (TC_H_MAJ(skb->priority) == sch->handle &&
+                   TC_H_MIN(skb->priority) > 0 &&
+                   TC_H_MIN(skb->priority) <= q->flows_cnt)
+                       return TC_H_MIN(skb->priority);
+
                return fq_codel_hash(q, skb) + 1;
+       }

        *qerr = NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
        result = tc_classify(skb, filter, &res);

What do you think?

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ