lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7302c1f7-b6d1-90b7-5df1-3e5e0ba98f53@gmail.com>
Date:   Sat, 15 Feb 2020 11:06:43 -0700
From:   David Ahern <dsahern@...il.com>
To:     Carmine Scarpitta <carmine.scarpitta@...roma2.it>,
        davem@...emloft.net
Cc:     kuznet@....inr.ac.ru, yoshfuji@...ux-ipv6.org, kuba@...nel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        ahmed.abdelsalam@...i.it, david.lebrun@...ouvain.be,
        dav.lebrun@...il.com, andrea.mayer@...roma2.it,
        paolo.lungaroni@...t.it
Subject: Re: [net-next 1/2] Perform IPv4 FIB lookup in a predefined FIB table

On 2/12/20 6:09 PM, Carmine Scarpitta wrote:
> In IPv4, the routing subsystem is invoked by calling ip_route_input_rcu()
> which performs the recognition logic and calls ip_route_input_slow().
> 
> ip_route_input_slow() initialises both "fi" and "table" members
> of the fib_result structure to null before calling fib_lookup().
> 
> fib_lookup() performs fib lookup in the routing table configured
> by the policy routing rules.
> 
> In this patch, we allow invoking the ip4 routing subsystem
> with known routing table. This is useful for use-cases implementing
> a separate routing table per tenant.
> 
> The patch introduces a new flag named "tbl_known" to the definition of
> ip_route_input_rcu() and ip_route_input_slow().
> 
> When the flag is set, ip_route_input_slow() will call fib_table_lookup()
> using the defined table instead of using fib_lookup().

I do not like this change. If you want a specific table lookup, then why
just call fib_table_lookup directly? Both it and rt_dst_alloc are
exported for modules. Your next patch already does a fib table lookup.


> 
> Signed-off-by: Carmine Scarpitta <carmine.scarpitta@...roma2.it>
> Acked-by: Ahmed Abdelsalam <ahmed.abdelsalam@...i.it>
> Acked-by: Andrea Mayer <andrea.mayer@...roma2.it>
> Acked-by: Paolo Lungaroni <paolo.lungaroni@...t.it>
> ---
>  include/net/route.h |  2 +-
>  net/ipv4/route.c    | 22 ++++++++++++++--------
>  2 files changed, 15 insertions(+), 9 deletions(-)
> 
> diff --git a/include/net/route.h b/include/net/route.h
> index a9c60fc68e36..4ff977bd7029 100644
> --- a/include/net/route.h
> +++ b/include/net/route.h
> @@ -183,7 +183,7 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 dst, __be32 src,
>  			 u8 tos, struct net_device *devin);
>  int ip_route_input_rcu(struct sk_buff *skb, __be32 dst, __be32 src,
>  		       u8 tos, struct net_device *devin,
> -		       struct fib_result *res);
> +		       struct fib_result *res, bool tbl_known);
>  
>  int ip_route_use_hint(struct sk_buff *skb, __be32 dst, __be32 src,
>  		      u8 tos, struct net_device *devin,
> diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> index d5c57b3f77d5..39cec9883d6f 100644
> --- a/net/ipv4/route.c
> +++ b/net/ipv4/route.c
> @@ -2077,7 +2077,7 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr,
>  
>  static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
>  			       u8 tos, struct net_device *dev,
> -			       struct fib_result *res)
> +			       struct fib_result *res, bool tbl_known)
>  {
>  	struct in_device *in_dev = __in_dev_get_rcu(dev);
>  	struct flow_keys *flkeys = NULL, _flkeys;
> @@ -2109,8 +2109,6 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
>  	if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr))
>  		goto martian_source;
>  
> -	res->fi = NULL;
> -	res->table = NULL;
>  	if (ipv4_is_lbcast(daddr) || (saddr == 0 && daddr == 0))
>  		goto brd_input;

I believe this also introduces a potential bug. You remove the fi
initialization yet do not cover the goto case.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ