| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Oct 2009 18:40:12 -0400 From: jamal <hadi@...erus.ca> To: Ben Greear <greearb@...delatech.com> Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org, atis@...rotik.com, eric.dumazet@...il.com, zenczykowski@...il.com Subject: Re: [PATCH] net: Fix RPF to work with policy routing On Fri, 2009-10-23 at 08:34 -0700, Ben Greear wrote: > I implemented something similar while allowing for virtual router like > applications. I had to add a mark very early in the pkt rx logic in dev.c, > and had to add a 'skb_default_mark' member to the netdevice because > the route lookup is done before the normal iptables logic ran. You dont need to add a new construct to netdev. Here's how youd tag all packets coming on eth0 with mark 7: ---- tc filter add dev eth0 parent ffff: protocol ip \ pref 10 u32 match u32 0 0 flowid 1:17 \ action skbedit mark 7 --- Of course you could also be very flow specific, example: ---- tc filter add dev eth0 parent ffff: protocol ip \ pref 9 u32 match ip src 64.233.169.99/32 flowid 1:5 \ action skbedit mark 5 --- Or even use iptable marker --- tc filter add dev eth2 parent 1:0 protocol ip \ prio 5 u32 match ip dst 10.0.0.90/32 flowid 1:12 \ action ipt -j mark --set-mark 2 ---- You could even slice bread with this stuff. Example you could use certain policy routing tables only if a flow misbehaved (works well with routing not local destined packets), example --- tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 \ match ip src 10.0.0.90/32 flowid 1:10 \ action ipt -j mark --set-mark 1 \ action police rate 100kbit burst 90k pipe \ action ipt -j mark --set-mark 2 \ action police rate 50kbit burst 50k pipe \ action ipt -j mark --set-mark 3 \ action police rate 50kbit burst 50k drop ---- As a warning ipt could be shaky in some distros because of the morphing iptables interface. > Without > this, if a flow already existed for pkts coming in eth1, if the packet came > back in eth2, it would use eth1's flow. True. Of course you can avoid that with the patch i posted meeting the conditions i described with RPF. > I'll dig out the patch if anyone is interested... If you can do overlapping IP addresses, it would be interesting to see. Otherwise all is achievable with smart policy routing. cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists