lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 30 Aug 2016 15:31:55 +0200
From:   Jesper Dangaard Brouer <brouer@...hat.com>
To:     Jamal Hadi Salim <jhs@...atatu.com>
Cc:     John Fastabend <john.fastabend@...il.com>, bblanco@...mgrid.com,
        davem@...emloft.net, alexei.starovoitov@...il.com,
        john.r.fastabend@...el.com, netdev@...r.kernel.org,
        xiyou.wangcong@...il.com, brouer@...hat.com
Subject: Re: [net-next PATCH] e1000: add initial XDP support

On Tue, 30 Aug 2016 08:13:15 -0400 Jamal Hadi Salim <jhs@...atatu.com> wrote:

> On 16-08-29 11:55 AM, Jesper Dangaard Brouer wrote:
> > tc filter add dev mlx5p2 parent ffff: prio 4 protocol ip u32 match ip protocol 17 0xff match udp dst 9 0xffff flowid 1:1 action  
> 
> Syntax is a little more convoluted  than that ;->. Try:
> 
> sudo tc filter add dev eth0 parent ffff: prio 4 protocol ip u32 \
> match ip protocol 17 0xff \
> match ip dport 1900 0xffff \
> flowid 1:1 \
> action drop

I think I figured out why, match "udp dst" does not work.  It seems to
depend on "nexthdr+0" which is an implicit variable, that for unknown
reasons are not set in my original rule (above).

Before you suggestion I managed to match the udp port by manually
defining the offset, assuming an IP-header is 20 bytes (no-options),
like:

tc filter add dev $device parent ffff: prio 4 protocol ip \
	u32 \
	match ip protocol 17 0xff \
	match udp dst $udp_port 0xffff at 21\
	flowid 1:1 \
	action drop

You solution with "ip dport" also works, but man[1] tc-u32(8) also have
a warning about "ip dport" size assumptions...

Updated my script to use "u32 match ip port":
 https://github.com/netoptimizer/network-testing/commit/6449f6beb4d2

> Note, this will be more cycles than drop all.

Yes, that is the point ;-) XDP also does header parsing...

-- 
Best regards,
  Jesper Dangaard Brouer
  MSc.CS, Principal Kernel Engineer at Red Hat
  Author of http://www.iptv-analyzer.org
  LinkedIn: http://www.linkedin.com/in/brouer

[1] http://man7.org/linux/man-pages/man8/tc-u32.8.html#SELECTORS

Powered by blists - more mailing lists