lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 05 Jan 2010 05:46:56 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	Andrew Morton <akpm@...ux-foundation.org>
CC:	netdev@...r.kernel.org, bugzilla-daemon@...zilla.kernel.org,
	bugme-daemon@...zilla.kernel.org, stas@...pt.org.ru
Subject: Re: [Bugme-new] [Bug 14875] New: iproute2: problems with "tc filter
 replace" and u32 hashing filters

Andrew Morton wrote:
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
> 
>> http://bugzilla.kernel.org/show_bug.cgi?id=14875
>>
>> I'm using u32 hashing filters and have some issues with "tc filter replace"
>> command.
>>
>> Issue 1: "tc filter replace" command does not replace filters inside u32 hash
>> tables and works like "tc filter add" command.
>>
>> Consider the following scenario:
>>
>> ...
>> 2. Add filter for IP-address 10.0.0.1
>>
>> tc class add dev eth1 parent 1: classid 1:3 htb rate 256kibit ceil 256kibit
>> tc qdisc add dev eth1 parent 1:3 handle 3:0 pfifo limit 50
>> tc filter add dev eth1 parent 1: pref 20 u32 ht 100:1: \
>>     match ip src 10.0.0.1 flowid 1:3
>>
>> 3. Try to replace filter for 10.0.0.1 with a new one for 10.0.0.2
>>
>> tc filter replace dev eth1 parent 1: pref 20 u32 ht 100:1: \
>>     match ip src 10.0.0.2 flowid 1:3
>>
>> I expect that filter for 10.0.0.1 in hash table 100:1: have been replaced by
>> new
>> rule for 10.0.0.2. But "tc -p filter show dev eth1" outputs two filters for
>> both 10.0.0.1 and 10.0.0.2:
>>
>> filter parent 1: protocol ip pref 10 u32 fh 100:1:800 order 2048 key ht 100
>>  bkt 1 flowid 1:3
>>   match IP src 10.0.0.1/32
>> filter parent 1: protocol ip pref 10 u32 fh 100:1:801 order 2049 key ht 100
>>  bkt 1 flowid 1:3
>>   match IP dst 10.0.0.2/32
>>
>> It means that "tc filter replace" command did not delete the filter 100:1:800, 
>> but attached a new one with handle 100:1:801, just like the "tc filter add" 
>> command. I think it is a wrong behaviour for "replace" command.

You need to specify a handle for the filters to get replaced.

tc filter add dev eth1 parent 1: pref 20 handle 100:1 u32 ht 100:1: \
    match ip src 10.0.0.1 flowid 1:3

tc filter replace dev eth1 parent 1: pref 20 handle 100:1 u32 ht 100:1: \
    match ip src 10.0.0.2 flowid 1:3

works fine.

>> Issue 2: It seems that tc does not provide any syntax to replace a single
>> filter
>> inside the hash table. The command with explicit handle number
>>
>> tc filter replace dev eth1 parent 1: pref 20 u32 ht 100:1:800 \
>>     match ip dst 10.0.0.3 flowid 1:3
>>
>> gives the error message: "ht" must be a hash table.
>>
>> The similar command with "handle 100:1:800" prints "What is "handle"?" and
>> usage information.

Handles consist of a major and minor number, not three numbers,
see above.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ