lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 25 Jul 2017 19:38:55 +0800
From:   martinbj2008@...il.com
To:     martinbj2008@...il.com, davem@...emloft.net, nhorman@...driver.com,
        xiyou.wangcong@...il.com
Cc:     netdev@...r.kernel.org,
        martin Zhang <zhangjunweimartin@...ichuxing.com>
Subject: [PATCH v2 net-next 1/5] drop_monitor: import netnamespace framework

From: martin Zhang <zhangjunweimartin@...ichuxing.com>

Part1: requirement: dropwatch need work well under docekr instance.
    With the docker be widely accepted, there are several net ns on a single physical host.
some of them may have same IP address. A docker instance is used as a physical host a few years ago.
the owner of a instance only care about the dropped packet in his own instance, not the whole physical host.
so the Initial motivation is:
   provide dropped packet information for per instance(net ns) just like we have done for host.

Part2: why current dropwatch could not work well with docker instance or net namespace
   Dropwatch is a sharp knife to find the location for the dropped packet,
   but it could not work under net namespace(docker instance).
   1. net_drop_monitor_family does not support ".netnsok"
   2. drop monitor does not support statistics for per net namespace.

Part3: How to extend current drop monitor.
For control path
  1. Extend the start/stop netlink command for for per net ns.
    The change is extend the swtich to a per net ns switch.
    without patch: when get start/stop netlink command, check switch filter repeat operation,
        and then (un)register_trace.
    with patch:  when get start/stop netlink command, check per net ns switch to filter repeat operation,
        and then add(dec) ref for global trace, then (un)register_trace if ref (0->1 or 1->0).

For data path
  1. hook the dropped skb: In current version it works well, and is not touched.
  2. get the net namespace of skb, and check if the switch of current net ns is TRACE_on.
    this part is arguable:
    V1: Get netns by skb->dev, skb->sock,
        which is wrong for udp socket.
        Thanks for CongWang and Neil.

    V2: switch to get netns by skb->sock, skb->dev.
        because a: when cross net ns, skb->sk will be clean and set to NULL.
                b. I think no case: skb->sock and skb->dev wil be NULL at the same time.
                If I am wrong, please note me, thanks.

  3. reocord the skb and increase the statistics for net ns of skb.
        This part just extend the netlink skb buffer from a globle variable to per net ns variable.
        without patch:
 47 struct per_cpu_dm_data {
 48         spinlock_t              lock;
 49         struct sk_buff          *skb;
 50         struct work_struct      dm_alert_work;
 51         struct timer_list       send_timer;
 52 };
        with patch:
            only keep dm_alert_work for per cpu, skb and send timer will be change to per cpu of per netns.

  4. broadcast the stat to userspace.
    Keep a workqueue for per cpu. The workqueue function travel all the net namespace and broadcast netlink message
for per netns.
    I think the drop path is unfrequent, maybe it need enhanced for future.

In this patch:
Import two struct to support net ns:

1. struct per_ns_dm_cb:
  Just like its name, it is used in per net ns.

  In this patch it is empty, but in following patch, these field will be added.
  a. trace_state: every net ns has a switch to indicate the trace state.
  b. ns_dm_mutex: the mutex will only work and keep exclusive operatons in a net ns.
  c. hw_stats_list: monitor for NAPI of net device.

2. ns_pcpu_dm_data
   It is used to replace per_cpu_dm_data under per net ns.

   per_cpu_dm_data will only keep the dm_alert_work, and the other field
will be moved to ns_pcpu_dm_data. They do same thing just like current
code, and the only difference is under per net ns.

  Keep there is a work under percpu, to send alter netlink message.

Signed-off-by: martin Zhang <zhangjunweimartin@...ichuxing.com>
---
 net/core/drop_monitor.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
index 70ccda2..6a75e04 100644
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -32,6 +32,10 @@
 #include <trace/events/napi.h>
 
 #include <asm/unaligned.h>
+#include <net/sock.h>
+#include <net/net_namespace.h>
+#include <net/netns/generic.h>
+#include <linux/smp.h>
 
 #define TRACE_ON 1
 #define TRACE_OFF 0
@@ -41,6 +45,13 @@
  * and the work handle that will send up
  * netlink alerts
  */
+
+struct ns_pcpu_dm_data {
+};
+
+struct per_ns_dm_cb {
+};
+
 static int trace_state = TRACE_OFF;
 static DEFINE_MUTEX(trace_state_mutex);
 
@@ -59,6 +70,7 @@ struct dm_hw_stat_delta {
 	unsigned long last_drop_val;
 };
 
+static int dm_net_id __read_mostly;
 static struct genl_family net_drop_monitor_family;
 
 static DEFINE_PER_CPU(struct per_cpu_dm_data, dm_cpu_data);
@@ -382,6 +394,33 @@ static int dropmon_net_event(struct notifier_block *ev_block,
 	.notifier_call = dropmon_net_event
 };
 
+static int __net_init dm_net_init(struct net *net)
+{
+	struct per_ns_dm_cb *ns_dm_cb;
+
+	ns_dm_cb = net_generic(net, dm_net_id);
+	if (!ns_dm_cb)
+		return -ENOMEM;
+
+	return 0;
+}
+
+static void __net_exit dm_net_exit(struct net *net)
+{
+	struct per_ns_dm_cb *ns_dm_cb;
+
+	ns_dm_cb = net_generic(net, dm_net_id);
+	if (!ns_dm_cb)
+		return;
+}
+
+static struct pernet_operations dm_net_ops = {
+	.init = dm_net_init,
+	.exit = dm_net_exit,
+	.id   = &dm_net_id,
+	.size = sizeof(struct per_ns_dm_cb),
+};
+
 static int __init init_net_drop_monitor(void)
 {
 	struct per_cpu_dm_data *data;
@@ -393,6 +432,7 @@ static int __init init_net_drop_monitor(void)
 		pr_err("Unable to store program counters on this arch, Drop monitor failed\n");
 		return -ENOSPC;
 	}
+	rc = register_pernet_subsys(&dm_net_ops);
 
 	rc = genl_register_family(&net_drop_monitor_family);
 	if (rc) {
@@ -441,6 +481,7 @@ static void exit_net_drop_monitor(void)
 	 * or pending schedule calls
 	 */
 
+	unregister_pernet_subsys(&dm_net_ops);
 	for_each_possible_cpu(cpu) {
 		data = &per_cpu(dm_cpu_data, cpu);
 		del_timer_sync(&data->send_timer);
-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ