lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4AF85337.8060802@trash.net>
Date:	Mon, 09 Nov 2009 18:36:55 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	Caitlin Bestler <caitlin.bestler@...il.com>
CC:	Rick Jones <rick.jones2@...com>,
	Bill Fink <billfink@...dspring.com>,
	Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@...el.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: RFC: ethtool support for n-tuple filter programming

Caitlin Bestler wrote:
> On Sat, Nov 7, 2009 at 3:28 PM, Rick Jones <rick.jones2@...com> wrote:
>> At the risk of typing words into someone's keyboard, I interpreted it as
>> suggesting using the filtering language of netfilter or something similar,
>> not necessarily netfilter itself?
>>
> 
> Correct, a netfilter-friendly interface to the driver could be invoked by
> lower-overhead entities that netfilter and the driver would not care.
> 
> However the real goal would be to still use netfilter, which would become
> a low-overhead entity if it could delegate 90% of the rules it enforced to
> smart hardware.

That's not possible in a compatible fashion with ip_tables because of
counters, logging, rules affecting traffic from multiple interfaces,
targets not supported in hardware (which I presume will simply be
"DROP") etc.

Counters are actually the worst feature standing in the way of this,
but even without them, you could usually only offload the first n
dropping rules that don't use any features not supported in hardware
and only affect the specific interface. Any "ACCEPT" rule is most
likely followed by further drop rules, so packets actually need to
hit those rules in software to exit table processing.

It gets even worse if you consider ingress TC actions directing the
packets to different interfaces or mangling them.

> The fundamental suggestion is to start with a filter specification that is
> clearly too rich for any Ethernet device, and let the Ethernet devices
> decide how quickly they want to catch up. As opposed to standardizing
> how smart a smart Ethernet device is and potentially leaving some hardware
> capabilities made inaccessible.
> 
> I'll point out that once you assume an Ethernet Device is capable of doing
> TCP/UDP checksum offload and LSO/LRO then clearly you have recognized
> that it is an L4 aware device. Designing its filtering rules as though it were
> an L2-only device does not allow it to take advantage of the L4 parsing that
> many/most Ethernet NICs already do.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ