| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 Jan 2017 14:34:58 +0200
From: Amir Vadai <amir@...ai.me>
To: Jiri Benc <jbenc@...hat.com>
Cc: "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
Jiri Pirko <jiri@...lanox.com>,
Or Gerlitz <ogerlitz@...lanox.com>,
Hadar Har-Zion <hadarh@...lanox.com>
Subject: Re: [PATCH net-next V2 0/3] net/sched: act_pedit: Use offset
relative to conventional network headers
On Thu, Jan 05, 2017 at 12:54:14PM +0100, Jiri Benc wrote:
> On Thu, 5 Jan 2017 11:54:51 +0200, Amir Vadai wrote:
> > You asked me [1] why did I use specific header names instead of layers (L2, L3...),
> > and I explained that it is on purpose, this extra information is planned to be used
> > by hardware drivers to offload the action.
> >
> > Some FW/HW parser APIs are such that they need to get the specific header type (e.g
> > IPV4 or IPV6, TCP or UDP) and not only the networking level (e.g network or transport).
>
> Don't we need better API specification (and enforcement) then, though?
> See below.
>
> > Usage example:
> > $ tc filter add dev enp0s9 protocol ip parent ffff: \
> > flower \
> > ip_proto tcp \
> > dst_port 80 \
> > action \
> > pedit munge ip ttl add 0xff \
> > pedit munge tcp dport set 8080 \
> > pipe action mirred egress redirect dev veth0
>
> What happens when one does:
>
> tc filter add ... flower ip_proto udp action pedit munge tcp ...
>
> ?
This is a simple action. It is not fool proof - it prevents the user
from getting out of packet bounds, but it is the user responsibility to
provide valid rules.
>
> Jiri
Powered by blists - more mailing lists