lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1305821795.3028.82.camel@edumazet-laptop>
Date:	Thu, 19 May 2011 18:16:35 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Tom Herbert <therbert@...gle.com>
Cc:	davem@...emloft.net, netdev@...r.kernel.org
Subject: Re: [PATCH 4/4] rps: Inspect GRE encapsulated packets to get flow
 hash

Le jeudi 19 mai 2011 à 08:39 -0700, Tom Herbert a écrit :
> Crack open GRE packets in __skb_get_rxhash to compute 4-tuple hash on
> in encapsulated packet.  Note that this is used only when the
> __skb_get_rxhash is taken, in particular only when the device does
> not compute provide the rxhash (ie. feature is disabled).
> 
> This was tested by creating a single GRE tunnel between two 16 core
> AMD machines.  200 netperf TCP_RR streams were ran with 1 byte
> request and response size.
> 
> Without patch: 157497 tps, 50/90/99% latencies 1250/1292/1364 usecs
> With patch: 325896 tps, 50/90/99% latencies 603/848/1169
> 
> Signed-off-by: Tom Herbert <therbert@...gle.com>
> ---
>  net/core/dev.c |   22 ++++++++++++++++++++++
>  1 files changed, 22 insertions(+), 0 deletions(-)
> 
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 0c83494..7799bbd 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -2552,6 +2552,28 @@ again:
>  	}
>  
>  	switch (ip_proto) {
> +	case IPPROTO_GRE:
> +		if (pskb_may_pull(skb, nhoff + 16)) {
> +			u8 *h = skb->data + nhoff;
> +			__be16 flags = *(__be16 *)h;
> +
> +			/*
> +			 * Only look inside GRE if version zero and no
> +			 * routing
> +			 */
> +			if (!(flags & (GRE_VERSION|GRE_ROUTING))) {
> +				proto = *(__be16 *)(h + 2);
> +				nhoff += 4;
> +				if (flags & GRE_CSUM)
> +					nhoff += 4;
> +				if (flags & GRE_KEY)
> +					nhoff += 4;
> +				if (flags & GRE_SEQ)
> +					nhoff += 4;
> +				goto again;
> +			}
> +		}
> +		break;
>  	default:
>  		break;
>  	}


Hi Tom

For sure it helps if this machine is the final host for these packets.

If I am a firewall or router [and not looking into GRE packets], maybe I
dont want to spread all packets received on a tunnel to several cpus and
reorder them when forwarded.

Maybe we need to add a table, so that upper layer (GRE or IPIP tunnels)
can instruct __skb_get_rxhash() that we want to deep inspect packets.

1) Say we keep rxhash first evaluation be the one we have today.

2) Do a hash lookup in a new table to tell if upper layer handled a
previous packet for this first level flow and want more inspection.

3) table could contains 'pointers' to decoding function, that would
recompute a new rxhash function.

4) Find a way to "clean the table", garbage collect or expirations times
can do.

This way we can add stuff in GRE and IPIP modules [and other kind of
tunnels], without layer violations ?



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ