lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170104104251.GB30008@penelope.horms.nl>
Date:   Wed, 4 Jan 2017 11:42:54 +0100
From:   Simon Horman <simon.horman@...ronome.com>
To:     Yotam Gigi <yotamg@...lanox.com>
Cc:     Roopa Prabhu <roopa@...ulusnetworks.com>,
        Jiri Pirko <jiri@...nulli.us>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        Ido Schimmel <idosch@...lanox.com>,
        Elad Raz <eladr@...lanox.com>,
        Nogah Frankel <nogahf@...lanox.com>,
        Or Gerlitz <ogerlitz@...lanox.com>,
        "jhs@...atatu.com" <jhs@...atatu.com>,
        "geert+renesas@...der.be" <geert+renesas@...der.be>,
        "stephen@...workplumber.org" <stephen@...workplumber.org>,
        "xiyou.wangcong@...il.com" <xiyou.wangcong@...il.com>,
        "linux@...ck-us.net" <linux@...ck-us.net>,
        "john.fastabend@...il.com" <john.fastabend@...il.com>
Subject: Re: [patch net-next v2 5/8] Introduce sample tc action

On Wed, Nov 16, 2016 at 04:26:44PM +0000, Yotam Gigi wrote:
> >-----Original Message-----
> >From: Roopa Prabhu [mailto:roopa@...ulusnetworks.com]
> >Sent: Wednesday, November 16, 2016 6:15 PM
> >To: Jiri Pirko <jiri@...nulli.us>
> >Cc: netdev@...r.kernel.org; davem@...emloft.net; Yotam Gigi
> ><yotamg@...lanox.com>; Ido Schimmel <idosch@...lanox.com>; Elad Raz
> ><eladr@...lanox.com>; Nogah Frankel <nogahf@...lanox.com>; Or Gerlitz
> ><ogerlitz@...lanox.com>; jhs@...atatu.com; geert+renesas@...der.be;
> >stephen@...workplumber.org; xiyou.wangcong@...il.com; linux@...ck-us.net;
> >john.fastabend@...il.com; simon.horman@...ronome.com
> >Subject: Re: [patch net-next v2 5/8] Introduce sample tc action
> >
> >On 11/14/16, 7:00 AM, Jiri Pirko wrote:
> >> From: Yotam Gigi <yotamg@...lanox.com>
> >>
> >> This action allow the user to sample traffic matched by tc classifier.
> >> The sampling consists of choosing packets randomly, truncating them,
> >> adding some informative metadata regarding the interface and the original
> >> packet size and mark them with specific mark, to allow further tc rules to
> >> match and process. The marked sample packets are then injected into the
> >> device ingress qdisc using netif_receive_skb.
> >>
> >> The packets metadata is packed using the ife encapsulation protocol, and
> >> the outer packet's ethernet dest, source and eth_type, along with the
> >> rate, mark and the optional truncation size can be configured from
> >> userspace.
> >>
> >> Example:
> >> To sample ingress traffic from interface eth1, and redirect the sampled
> >> the sampled packets to interface dummy0, one may use the commands:
> >>
> >> tc qdisc add dev eth1 handle ffff: ingress
> >>
> >> tc filter add dev eth1 parent ffff: \
> >> 	   matchall action sample rate 12 mark 17
> >
> >Yotham, I am guessing in the future if one does not want to use mark,
> >the sample api is extensible to allow for other actions to be added.
> >This is from the general concern we had on using mark: some may not want to use
> >mark.
> >As long as the api is extensible to allow an alternate way in the future,
> > we should be good. (We would prefer to not go down the path of having to
> >introduce
> >a new  'action sample' if this limits us in some way).
> 
> The code is extensible  - if one does want to add another action to sample, he 
> totally can :)
> 
> By the way, one of the reasons we removed the patches for now is that we 
> consider adding mirroring functionality to it instead of heaving two tc-rules.

Hi Yotham,

I see that this action combines several discrete sub-actions, some of which
duplicate functionality present in existing actions:

* sample
* truncate
* IFE encapsulation with metadata
* mark
* output (proposed)

I wonder if it would make sense to provided a mechanism whereby sampled
packets can be passed on to other actions. Something similar to the
existing pipe mechanism but allowing for the sampled and the original packets
to continue to be processed separately.

If so, it may be worth white-listing actions for which sampled packets are
known to work well to limit the scope for unforseen side effects.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ