| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAD6jFUQ+F4nBu6WmC6pW2GLSeUy+QfHngT=5NStt=2BRQFnA4w@mail.gmail.com>
Date: Fri, 26 Oct 2012 10:05:10 +0200
From: Daniel Borkmann <danborkmann@...earbox.net>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: Ani Sinha <ani@...stanetworks.com>, netdev@...r.kernel.org
Subject: Re: bpf filter : support for vlan tag
On Tue, Oct 16, 2012 at 1:28 PM, Eric Dumazet <eric.dumazet@...il.com> wrote:
> On Tue, 2012-10-16 at 13:00 +0200, Daniel Borkmann wrote:
>> On Tue, Oct 16, 2012 at 8:46 AM, Eric Dumazet <eric.dumazet@...il.com> wrote:
>> > On Mon, 2012-10-15 at 19:10 -0700, Ani Sinha wrote:
>> >> I was looking at the kernel side implementation of the BPF filter. I
>> >> do not see any code that supports filtering of packets based on
>> >> provided vlan tag information from the skbuff. This will make it
>> >> impossible to provide any filter to tcpdump that will filter packets
>> >> based on the tag information if libpcap uses the kernel filter.
>> >>
>> >> Any help will be much appreciated.
>> >
>> > Right, we need a basic support, using a new ancillary definition.
>> >
>> > Is the following patch enough to address your need, or do you also need
>> > access to vlan_tx_tag_present() ?
>>
>> I like this patch, it's especially useful to speed up processing for
>> packet analyzers. vlan_tx_tag_present() might also be good to have if
>> this doesn't waste to much room for future ancillary operations.
>
> There is plenty of room in ancillary space
>
> Note that if speed is needed, we also want to update various JIT
> implementations.
Eric, can you submit this patch to net-next if there are no objections
from your side regarding the follow-up comments? Big thanks.
> diff --git a/include/linux/filter.h b/include/linux/filter.h
> index 24d251f..c9f0005 100644
> --- a/include/linux/filter.h
> +++ b/include/linux/filter.h
> @@ -123,6 +123,8 @@ enum {
> BPF_S_ANC_CPU,
> BPF_S_ANC_ALU_XOR_X,
> BPF_S_ANC_SECCOMP_LD_W,
> + BPF_S_ANC_VLAN_TAG,
> + BPF_S_ANC_VLAN_TAG_PRESENT,
> };
>
> #endif /* __LINUX_FILTER_H__ */
> diff --git a/include/uapi/linux/filter.h b/include/uapi/linux/filter.h
> index 3d79224..9cfde69 100644
> --- a/include/uapi/linux/filter.h
> +++ b/include/uapi/linux/filter.h
> @@ -127,7 +127,9 @@ struct sock_fprog { /* Required for SO_ATTACH_FILTER. */
> #define SKF_AD_RXHASH 32
> #define SKF_AD_CPU 36
> #define SKF_AD_ALU_XOR_X 40
> -#define SKF_AD_MAX 44
> +#define SKF_AD_VLAN_TAG 44
> +#define SKF_AD_VLAN_TAG_PRESENT 48
> +#define SKF_AD_MAX 52
> #define SKF_NET_OFF (-0x100000)
> #define SKF_LL_OFF (-0x200000)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 3d92ebb..5a114d4 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -39,6 +39,7 @@
> #include <linux/reciprocal_div.h>
> #include <linux/ratelimit.h>
> #include <linux/seccomp.h>
> +#include <linux/if_vlan.h>
>
> /* No hurry in this branch
> *
> @@ -341,6 +342,12 @@ load_b:
> case BPF_S_ANC_CPU:
> A = raw_smp_processor_id();
> continue;
> + case BPF_S_ANC_VLAN_TAG:
> + A = vlan_tx_tag_get(skb);
> + continue;
> + case BPF_S_ANC_VLAN_TAG_PRESENT:
> + A = !!vlan_tx_tag_present(skb);
> + continue;
> case BPF_S_ANC_NLATTR: {
> struct nlattr *nla;
>
> @@ -600,6 +607,8 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen)
> ANCILLARY(RXHASH);
> ANCILLARY(CPU);
> ANCILLARY(ALU_XOR_X);
> + ANCILLARY(VLAN_TAG);
> + ANCILLARY(VLAN_TAG_PRESENT);
> }
> }
> ftest->code = code;
>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists