lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 27 Nov 2016 12:35:23 +0200 From: Amir Vadai <amir@...ai.me> To: Jiri Benc <jbenc@...hat.com> Cc: Stephen Hemminger <stephen@...workplumber.org>, "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org, Or Gerlitz <ogerlitz@...lanox.com>, Hadar Har-Zion <hadarh@...lanox.com>, Roi Dayan <roid@...lanox.com> Subject: Re: [PATCH iproute2 0/2] tc/cls_flower: Support for ip tunnel metadata set/release/classify On Thu, Nov 24, 2016 at 04:33:55PM +0100, Jiri Benc wrote: > On Thu, 24 Nov 2016 17:06:33 +0200, Amir Vadai wrote: > > So you mean to just unconditionally call skb_dst_drop() from > > act_mirred()? > > That's one option. Or just leave the dst there, it shouldn't matter? > (Except for forwarding to a different tunnel but as I said, it's a > corner case and we may have a "tunnel_key unset" action for that.) Ok, so I will write in the docs that it is optional to use the "unset" operation (and will rename it from "release" to "unset") > > > The use case we already have that uses the release action is the > > hardware offload support, which is already in the kernel. > > It is using the "tunnel_key release" action to signal the hardware to > > strip off the ip tunnel headers. > > The tunnel headers must be removed upon reception on the tunnel > interface without specifying anything, because that's how the Linux > kernel behaves currently. If this is offloaded, this behavior must be > preserved. I don't see how "tunnel_key release" might be used for > stripping the headers. Maybe I didn't express myself right: I need to tell the hardware explicitly during the filter initialization to redirect the packets arriving from one interface to another and to strip off the tunnel headers. This is what happens when a "tunnel_key unset" action is created and offloaded - it configures the hardware respectively. So this is one usecase where this operation is needed - and yes, in this use case the actual skb_dst_drop() is not important or needed, but I don't think it makes any harm. In the tunnel dev to tunnel dev use case, the operation could be meaningful, if the user don't want to reuse the metadata created by the origin tunnel dev. > > Jiri
Powered by blists - more mailing lists