| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Dec 2010 18:24:03 +0200 From: "Vladislav Zolotarov" <vladz@...adcom.com> To: "Ben Hutchings" <bhutchings@...arflare.com> cc: "Dimitris Michailidis" <dm@...lsio.com>, "Peter Waskiewicz" <peter.p.waskiewicz.jr@...el.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "David Miller" <davem@...emloft.net> Subject: Re: (Lack of) specification for RX n-tuple filtering > > It's a bit worse than that. Currently one can only append filters, not > > insert at a given position, as ethtool_rx_ntuple doesn't have an index > > field. For devices that use TCAMs, where position matters, it's quite an > > obstacle. It also means one cannot modify an existing filter by specifying > > a new filter for the same index. > > It looks like drivers for devices that use TCAMs should implement the > RXNFC interface instead. > Ben, from ethtool manpage it sounds like RXNFC option defines the way the RSS hash should be calculated, while SRXNTUPLE is meant to control the destination Rx queue for a stream specified by a filter/filters. The semantics for a specification of the steam is also quite different. For instance, how do u define a rule to drop all packets with source IP address 192.168.10.200 by means of RXNFC? While with SRXNTUPLE it's straight forward. So, if I understood the semantics of both interfaces correctly, there is a very limited range of functionality where they may replace one another. Pls., correct me if I'm wrong. I also agree with Dimitris: what we have here is an offload of some Netfilter functionality to HW. Regardless the HW implementation (TCAM or not) if it's allowed to configure more than one rule for the same protocol the ordering of filtering rules is important: for instance if u change the order of applying the rules in the example below the result of the filtering for the traffic with both VLAN 4 and destination port 3000 will be different. ethtool -U ethX flow-type tcp4 vlan 4 action 0 ethtool -U ethX flow-type tcp4 dst-port 3000 action 3 By the way it's also unclear from the ethtool man page if it's allowed to configure more than one rule for the same protocol. If it's not then the above example is void... ;) However, if we want to define a proper filtering interface I think we shouldn't restrict the driver implementation from defining a set of rules for the same protocol, allowing not to though. So, I think that attaching an index to each rule could be a good idea - this would allow us both inserting rules at the desired positions in the filtering rule table and editing the existing rules. It's also unclear what is the relation between RXNFC and SRXNTUPLE. The last in general may override the decision made based on the hash result. So, it sounds like applying rules of SRXNTUPLE should come before applying the RSS logic and only if there was no match RSS should be applied to that frame. Do I get it right? Pls., comment. thanks, vlad -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists