lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 1 Sep 2016 14:35:20 -0700
From:   John Fastabend <john.fastabend@...il.com>
To:     Jesper Dangaard Brouer <brouer@...hat.com>,
        Jamal Hadi Salim <jhs@...atatu.com>
Cc:     bblanco@...mgrid.com, davem@...emloft.net,
        alexei.starovoitov@...il.com, john.r.fastabend@...el.com,
        netdev@...r.kernel.org, xiyou.wangcong@...il.com
Subject: Re: [net-next PATCH] e1000: add initial XDP support

On 16-08-30 06:31 AM, Jesper Dangaard Brouer wrote:
> On Tue, 30 Aug 2016 08:13:15 -0400 Jamal Hadi Salim <jhs@...atatu.com> wrote:
> 
>> On 16-08-29 11:55 AM, Jesper Dangaard Brouer wrote:
>>> tc filter add dev mlx5p2 parent ffff: prio 4 protocol ip u32 match ip protocol 17 0xff match udp dst 9 0xffff flowid 1:1 action  
>>
>> Syntax is a little more convoluted  than that ;->. Try:
>>
>> sudo tc filter add dev eth0 parent ffff: prio 4 protocol ip u32 \
>> match ip protocol 17 0xff \
>> match ip dport 1900 0xffff \
>> flowid 1:1 \
>> action drop
> 
> I think I figured out why, match "udp dst" does not work.  It seems to
> depend on "nexthdr+0" which is an implicit variable, that for unknown
> reasons are not set in my original rule (above).
> 
> Before you suggestion I managed to match the udp port by manually
> defining the offset, assuming an IP-header is 20 bytes (no-options),
> like:
> 
> tc filter add dev $device parent ffff: prio 4 protocol ip \
> 	u32 \
> 	match ip protocol 17 0xff \
> 	match udp dst $udp_port 0xffff at 21\
> 	flowid 1:1 \
> 	action drop
> 
> You solution with "ip dport" also works, but man[1] tc-u32(8) also have
> a warning about "ip dport" size assumptions...
> 
> Updated my script to use "u32 match ip port":
>  https://github.com/netoptimizer/network-testing/commit/6449f6beb4d2
> 

FWIW the 'udp dst' notation is quit fragile in that it only reads an
offset into the packet where a udp dst port might be. More robust
solutions require the use of links.

I have a wrapper tool around the 'link' creation part of u32 that we
can probably show off at netconf. :)


>> Note, this will be more cycles than drop all.
> 
> Yes, that is the point ;-) XDP also does header parsing...
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ