lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon,  2 Mar 2015 13:54:58 -0800
From:	Joe Stringer <joestringer@...ira.com>
To:	netdev@...r.kernel.org, Pablo Neira Ayuso <pablo@...filter.org>
Cc:	linux-kernel@...r.kernel.org, Justin Pettit <jpettit@...ira.com>,
	Andy Zhou <azhou@...ira.com>, Thomas Graf <tgraf@...g.ch>,
	Patrick McHardy <kaber@...sh.net>
Subject: [RFCv2 net-next 0/7] OVS conntrack support

The goal of this series is to allow OVS to send packets through the Linux
kernel connection tracker, and subsequently match on fields populated by
conntrack.

Sending this out as another RFC change as this is the first time IP fragment
support is included. Only IPv4 is added right now, as we'd like to get some
feedback on that approach before we implement IPv6 frag support.

Helper support is also yet to be addressed, for tracking a particular flow a la
iptables CT targets. I think this is just a matter of having userspace specify
the helper to use (eg via 8-bit field in conntrack action), and setting up the
conntrack template accordingly when OVS first installs the flow containing a
conntrack action.

There are some additional related items that I intend to work on, which I do
not see as prerequisite for this series:
- OVS Connlabel support.
- Allow OVS to register logging facilities for conntrack.
- Conntrack per-zone configuration.

The branch below has been updated with the corresponding userspace pieces:
https://github.com/justinpettit/ovs/tree/conntrack


RFCv2:
- Support IPv4 fragments
- Warn when ct->net is different from skb net in skb_has_valid_nfct().
- Set OVS_CS_F_TRACKED when a flow cannot be identified ("invalid")
- Continue processing packets when conntrack marks the flow invalid.
- Use PF_INET6 family when sending IPv6 packets to conntrack.
- Verify conn_* matches when deserializing metadata from netlink.
- Only allow conntrack action on IPv4/IPv6 packets.
- Remove explicit dependencies on conn_zone, conn_mark.
- General tidyups

RFCv1:
- Rebase to net-next.
- Add conn_zone field to the flow key.
- Add explicit dependencies on conn_zone, conn_mark.
- Refactor conntrack changes into net/openvswitch/ovs_conntrack.*.
- Don't allow set_field() actions to change conn_state, conn_zone.
- Add OVS_CS_F_* flags to indicate connection state.
- Add "invalid" connection state.


Andy Zhou (3):
  net: refactor ip_fragment()
  net: Refactor ip_defrag() APIs
  openvswitch: Support fragmented IPv4 packets for conntrack

Joe Stringer (2):
  openvswitch: Serialize acts with original netlink len
  openvswitch: Move MASKED* macros to datapath.h

Justin Pettit (2):
  openvswitch: Add conntrack action
  openvswitch: Allow matching on conntrack mark

 drivers/net/macvlan.c               |    2 +-
 include/net/ip.h                    |   13 +-
 include/uapi/linux/openvswitch.h    |   42 +++-
 net/ipv4/ip_fragment.c              |   46 ++--
 net/ipv4/ip_input.c                 |    5 +-
 net/ipv4/ip_output.c                |  113 +++++----
 net/ipv4/netfilter/nf_defrag_ipv4.c |    2 +-
 net/netfilter/ipvs/ip_vs_core.c     |    2 +-
 net/openvswitch/Kconfig             |   11 +
 net/openvswitch/Makefile            |    1 +
 net/openvswitch/actions.c           |  140 +++++++++---
 net/openvswitch/conntrack.c         |  427 +++++++++++++++++++++++++++++++++++
 net/openvswitch/conntrack.h         |   91 ++++++++
 net/openvswitch/datapath.c          |   60 +++--
 net/openvswitch/datapath.h          |   10 +
 net/openvswitch/flow.c              |    4 +
 net/openvswitch/flow.h              |    4 +
 net/openvswitch/flow_netlink.c      |   95 ++++++--
 net/openvswitch/flow_netlink.h      |    4 +-
 net/openvswitch/vport.c             |    1 +
 net/packet/af_packet.c              |    2 +-
 21 files changed, 938 insertions(+), 137 deletions(-)
 create mode 100644 net/openvswitch/conntrack.c
 create mode 100644 net/openvswitch/conntrack.h

-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ