| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150923230808.GA12825@pox.localdomain> Date: Thu, 24 Sep 2015 01:08:08 +0200 From: Thomas Graf <tgraf@...g.ch> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Jiri Benc <jbenc@...hat.com>, netdev@...r.kernel.org, Roopa Prabhu <roopa@...ulusnetworks.com> Subject: Re: [PATCH net 0/2] lwtunnel: make it really work, for IPv4 On 09/23/15 at 04:09pm, Eric W. Biederman wrote: [...] > *Blink* You were targeting net.git with a feature enhancement???? > I will just ignore that. The point of this series is to not expose the src and dst port Netlink bits to user space in a released kernel because the ABI is not set in stone yet. Hence targeting net. If patch 1 is regarded unacceptable we should at least pull in patch 2 to not expose these bits until this has been worked out to leave the option proposed here on the table. > What I was observing is that in general the only tunneled packets that > need an ingress metadata dst for a tunneled medium ethernet like medium > are arp and ndisc packets. In other cases if you aren't doing something > exceptional like openvswitch the normal routing should be sufficient. > > Which means a ndo_reply_dst method could remove the need in many cases > for an ingress metadata dst to need to be allocated. The tunnel RX metadata collected is used to associate packets matching a particular tunnel id with the appropriate virtual networks by forwarding them to a separate netns, separate VRF device or a separate bridge. More sophisticated hypervisors may run multiple tunnel endpoints on the same host using different host addresses and differentiate packets based on the underlay destination IP as well. > Regardless a netdevice operation that digs into the packet and figures > out what is necessary for a reply seems like the clean way to make this > work for both arp and neighbour discovery. I'm not disagreeing entirely although I disagree that you can do the NDO without looking at the original metadata dst. Even a full fib lookup based on the requested IP in the ARP header is somewhat error prone. I fully agree though that once we support additional types besides IP tunneling then such an NDO might in fact make sense. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists