lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Jul 2016 18:46:24 -0600 From: Philp Prindeville <philipp@...fish-solutions.com> To: Tom Herbert <tom@...bertland.com>, fgao@...vckh6395k16k5.yundunddos.com Cc: "David S. Miller" <davem@...emloft.net>, Stephen Hemminger <stephen@...workplumber.org>, Pravin B Shelar <pshelar@...ira.com>, Alex Duyck <aduyck@...antis.com>, Linux Kernel Network Developers <netdev@...r.kernel.org>, gfree.wind@...il.com Subject: Re: [PATCH 1/1] rps: Inspect PPTP encapsulated by GRE to get flow hash Inline... On 07/27/2016 06:04 PM, Tom Herbert wrote: > On Wed, Jul 27, 2016 at 4:42 PM, <fgao@...ai8.com> wrote: >> From: Gao Feng <fgao@...ai8.com> >> >> The PPTP is encapsulated by GRE header with that GRE_VERSION bits >> must contain one. But current GRE RPS needs the GRE_VERSION must be >> zero. So RPS does not work for PPTP traffic. >> >> In my test environment, there are four MIPS cores, and all traffic >> are passed through by PPTP. As a result, only one core is 100% busy >> while other three cores are very idle. After this patch, the usage >> of four cores are balanced well. >> >> Signed-off-by: Gao Feng <fgao@...ai8.com> >> --- >> v1: Initial patch >> >> include/uapi/linux/if_tunnel.h | 5 +- >> net/core/flow_dissector.c | 138 ++++++++++++++++++++++++++--------------- >> 2 files changed, 92 insertions(+), 51 deletions(-) >> >> diff --git a/include/uapi/linux/if_tunnel.h b/include/uapi/linux/if_tunnel.h >> index 1046f55..dda4e4b 100644 >> --- a/include/uapi/linux/if_tunnel.h >> +++ b/include/uapi/linux/if_tunnel.h >> @@ -24,9 +24,12 @@ >> #define GRE_SEQ __cpu_to_be16(0x1000) >> #define GRE_STRICT __cpu_to_be16(0x0800) >> #define GRE_REC __cpu_to_be16(0x0700) >> -#define GRE_FLAGS __cpu_to_be16(0x00F8) >> +#define GRE_ACK __cpu_to_be16(0x0080) >> +#define GRE_FLAGS __cpu_to_be16(0x0078) >> #define GRE_VERSION __cpu_to_be16(0x0007) >> >> +#define GRE_PROTO_PPP __cpu_to_be16(0x880b) >> + >> struct ip_tunnel_parm { >> char name[IFNAMSIZ]; >> int link; >> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c >> index 61ad43f..d95e060 100644 >> --- a/net/core/flow_dissector.c >> +++ b/net/core/flow_dissector.c >> @@ -346,63 +346,101 @@ ip_proto_again: >> hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data, hlen, &_hdr); >> if (!hdr) >> goto out_bad; >> - /* >> - * Only look inside GRE if version zero and no >> - * routing >> - */ >> - if (hdr->flags & (GRE_VERSION | GRE_ROUTING)) >> - break; >> >> - proto = hdr->proto; >> - nhoff += 4; >> - if (hdr->flags & GRE_CSUM) >> + /* >> + * Only look inside GRE if version zero and no >> + * routing > This comment is no longer true, GRE version 1 is being handled. > >> + */ >> + if (!(hdr->flags & (GRE_VERSION | GRE_ROUTING))) { >> + proto = hdr->proto; >> nhoff += 4; >> - if (hdr->flags & GRE_KEY) { >> - const __be32 *keyid; >> - __be32 _keyid; >> + if (hdr->flags & GRE_CSUM) >> + nhoff += 4; >> + if (hdr->flags & GRE_KEY) { >> + const __be32 *keyid; >> + __be32 _keyid; >> + >> + keyid = __skb_header_pointer(skb, nhoff, sizeof(_keyid), >> + data, hlen, &_keyid); >> + >> + if (!keyid) >> + goto out_bad; >> + >> + if (dissector_uses_key(flow_dissector, >> + FLOW_DISSECTOR_KEY_GRE_KEYID)) { >> + key_keyid = skb_flow_dissector_target(flow_dissector, >> + FLOW_DISSECTOR_KEY_GRE_KEYID, >> + target_container); >> + key_keyid->keyid = *keyid; >> + } >> + nhoff += 4; >> + } >> + if (hdr->flags & GRE_SEQ) >> + nhoff += 4; >> + if (proto == htons(ETH_P_TEB)) { >> + const struct ethhdr *eth; >> + struct ethhdr _eth; >> + >> + eth = __skb_header_pointer(skb, nhoff, >> + sizeof(_eth), >> + data, hlen, &_eth); >> + if (!eth) >> + goto out_bad; >> + proto = eth->h_proto; >> + nhoff += sizeof(*eth); >> + >> + /* Cap headers that we access via pointers at the >> + * end of the Ethernet header as our maximum alignment >> + * at that point is only 2 bytes. >> + */ >> + if (NET_IP_ALIGN) >> + hlen = nhoff; >> + } >> >> - keyid = __skb_header_pointer(skb, nhoff, sizeof(_keyid), >> - data, hlen, &_keyid); >> + key_control->flags |= FLOW_DIS_ENCAPSULATION; >> + if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP) >> + goto out_good; >> >> - if (!keyid) >> + goto again; >> + } else if (hdr->proto == GRE_PROTO_PPP && (hdr->flags & GRE_VERSION) && >> + (hdr->flags & GRE_KEY) && >> + !(hdr->flags & (GRE_CSUM | GRE_ROUTING | GRE_STRICT | GRE_REC | GRE_FLAGS))) { >> + /* It should be the PPTP in GRE >> + * We have checked the flags according to the >> + * RFC 2637 >> + */ >> + struct ppp_frame { >> + /* address & control, just ignore it */ >> + __be16 ignore; >> + __be16 proto; >> + } *frame, _frame; > Isn't there a common definition of a PPP frame? If there were, it would be in <net/ppp_defs.h> but it's not. It's sort of implied the macros PPP_ADDRESS(), PPP_CONTROL(), and PPP_PROTOCOL(). Please rewrite the patch to use these. -Philip >> + int offset = 0; >> + >> + /* Skip GRE header */ >> + offset += 4; >> + /* Skip payload length and call id */ >> + offset += 4; >> + >> + if (hdr->flags & GRE_SEQ) >> + offset += 4; >> + >> + if (hdr->flags & GRE_ACK) >> + offset += 4; >> + >> + frame = skb_header_pointer(skb, nhoff + offset, sizeof(_frame), &_frame); >> + if (!frame) >> goto out_bad; >> - >> - if (dissector_uses_key(flow_dissector, >> - FLOW_DISSECTOR_KEY_GRE_KEYID)) { >> - key_keyid = skb_flow_dissector_target(flow_dissector, >> - FLOW_DISSECTOR_KEY_GRE_KEYID, >> - target_container); >> - key_keyid->keyid = *keyid; >> + if (frame->proto == __constant_htons(PPP_IP)) { >> + nhoff += (sizeof(*frame) + offset); >> + proto = __constant_htons(ETH_P_IP); >> + goto again; >> + } else if (frame->proto == __constant_htons(PPP_IPV6)) { >> + nhoff += (sizeof(*frame) + offset); >> + proto = __constant_htons(ETH_P_IPV6); >> + goto again; > There's a lot of code replication here with the version 0 path. Please > consolidate these. Also, this looks an awful lot like ETH_P_PPP_SES, > can this code leverage that code? > >> } >> - nhoff += 4; >> } >> - if (hdr->flags & GRE_SEQ) >> - nhoff += 4; >> - if (proto == htons(ETH_P_TEB)) { >> - const struct ethhdr *eth; >> - struct ethhdr _eth; >> - >> - eth = __skb_header_pointer(skb, nhoff, >> - sizeof(_eth), >> - data, hlen, &_eth); >> - if (!eth) >> - goto out_bad; >> - proto = eth->h_proto; >> - nhoff += sizeof(*eth); >> - >> - /* Cap headers that we access via pointers at the >> - * end of the Ethernet header as our maximum alignment >> - * at that point is only 2 bytes. >> - */ >> - if (NET_IP_ALIGN) >> - hlen = nhoff; >> - } >> - >> - key_control->flags |= FLOW_DIS_ENCAPSULATION; >> - if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP) >> - goto out_good; >> - >> - goto again; >> + break; >> } >> case NEXTHDR_HOP: >> case NEXTHDR_ROUTING: >> -- >> 1.9.1 >>
Powered by blists - more mailing lists