| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 May 2015 15:06:08 +0200 From: Florian Westphal <fw@...len.de> To: Jamal Hadi Salim <jhs@...atatu.com> Cc: Florian Westphal <fw@...len.de>, netdev@...r.kernel.org, alexei.starovoitov@...il.com Subject: Re: [PATCH -next 0/5] replace skb tc_verd member with 3 dedicated bit flags Jamal Hadi Salim <jhs@...atatu.com> wrote: > It is borderline questionable for 1 bit but for consistency i > suggest you do what was there before. I pointed to nocls but > i meant the comment generically because previous code you are > changing intended to use the macros. True. > In any case I will leave it up to you. Okay, thanks Jamal. I'll have to think about this wrt. how to proceed. > >>- We need two bits for the location (ingress, egress, from stack) > >>from stack being 0 i.e when it is not set implicitly it is from the > >>host stack then we can check for ingress or egress when we choose. > > > >Hmm, are you sure? How is that used? > > > > As example, when something like > if (!(at & AT_EGRESS)) > implies it is either from ingress or the stack. > It does not only from ingress. > >In fact ifb will BUG() if neither AT_INGRESS or AT_EGRESS was set > >in G_TC_FROM(). > > > > Yes, because you cant send directly from the stack host to ifb. You > can only redirect to it. If we ever end there from the host we should > bug() $ git grep G_TC_FROM | nl 1 drivers/net/ifb.c: u32 from = G_TC_FROM(skb->tc_verd); 2 drivers/net/ifb.c: u32 from = G_TC_FROM(skb->tc_verd); 3 include/uapi/linux/pkt_cls.h:#define G_TC_FROM(x) _TC_GETVALUE(x,S_TC_FROM,M_TC_FROM) 4 net/sched/sch_netem.c: if (G_TC_FROM(skb->tc_verd) & AT_INGRESS) #1 will BUG() if G_TC_FROM yields 0 #4 only cares about AT_INGRESS I can indeed get #2 to return 'from 0', via: ip link set dev ifb0 up ip addr add 10.2.1.1/8 dev ifb0 ping 10.2.1.2 However, there is no user-visible behaviour change since skb->iif is 0 for locally generated skb. Since we do '(from == 0 || skb->iif == 0) -> drop' ifb will still be a /dev/null sink without skb coming in via mirred action. This also seems to work: ip link set dev ifb0 up ip link set dev eth1 up ip addr add 192.168.42.1/24 dev eth1 tc qdisc add dev eth1 root handle 1: htb default 1 tc filter add dev eth1 parent 1: protocol all u32 match u32 0 0 action mirred egress redirect dev ifb0 ping -c 1 -b 192.168.42.255 iif is set to eth1 iif by the mirred action, so its nonzero by the time skb ends up in ifb and is redirected. I fully admit that I did not consider this beforehand though ;) Is there anything else I am missing? Cheers, Florian -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists