lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Aug 2016 15:31:55 +0200 From: Jesper Dangaard Brouer <brouer@...hat.com> To: Jamal Hadi Salim <jhs@...atatu.com> Cc: John Fastabend <john.fastabend@...il.com>, bblanco@...mgrid.com, davem@...emloft.net, alexei.starovoitov@...il.com, john.r.fastabend@...el.com, netdev@...r.kernel.org, xiyou.wangcong@...il.com, brouer@...hat.com Subject: Re: [net-next PATCH] e1000: add initial XDP support On Tue, 30 Aug 2016 08:13:15 -0400 Jamal Hadi Salim <jhs@...atatu.com> wrote: > On 16-08-29 11:55 AM, Jesper Dangaard Brouer wrote: > > tc filter add dev mlx5p2 parent ffff: prio 4 protocol ip u32 match ip protocol 17 0xff match udp dst 9 0xffff flowid 1:1 action > > Syntax is a little more convoluted than that ;->. Try: > > sudo tc filter add dev eth0 parent ffff: prio 4 protocol ip u32 \ > match ip protocol 17 0xff \ > match ip dport 1900 0xffff \ > flowid 1:1 \ > action drop I think I figured out why, match "udp dst" does not work. It seems to depend on "nexthdr+0" which is an implicit variable, that for unknown reasons are not set in my original rule (above). Before you suggestion I managed to match the udp port by manually defining the offset, assuming an IP-header is 20 bytes (no-options), like: tc filter add dev $device parent ffff: prio 4 protocol ip \ u32 \ match ip protocol 17 0xff \ match udp dst $udp_port 0xffff at 21\ flowid 1:1 \ action drop You solution with "ip dport" also works, but man[1] tc-u32(8) also have a warning about "ip dport" size assumptions... Updated my script to use "u32 match ip port": https://github.com/netoptimizer/network-testing/commit/6449f6beb4d2 > Note, this will be more cycles than drop all. Yes, that is the point ;-) XDP also does header parsing... -- Best regards, Jesper Dangaard Brouer MSc.CS, Principal Kernel Engineer at Red Hat Author of http://www.iptv-analyzer.org LinkedIn: http://www.linkedin.com/in/brouer [1] http://man7.org/linux/man-pages/man8/tc-u32.8.html#SELECTORS
Powered by blists - more mailing lists