lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20170104110428.GA21160@penelope.horms.nl>
Date:   Wed, 4 Jan 2017 12:04:30 +0100
From:   Simon Horman <simon.horman@...ronome.com>
To:     Yotam Gigi <yotamg@...lanox.com>
Cc:     Roopa Prabhu <roopa@...ulusnetworks.com>,
        Jiri Pirko <jiri@...nulli.us>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        Ido Schimmel <idosch@...lanox.com>,
        Elad Raz <eladr@...lanox.com>,
        Nogah Frankel <nogahf@...lanox.com>,
        Or Gerlitz <ogerlitz@...lanox.com>,
        "jhs@...atatu.com" <jhs@...atatu.com>,
        "geert+renesas@...der.be" <geert+renesas@...der.be>,
        "stephen@...workplumber.org" <stephen@...workplumber.org>,
        "xiyou.wangcong@...il.com" <xiyou.wangcong@...il.com>,
        "linux@...ck-us.net" <linux@...ck-us.net>,
        "john.fastabend@...il.com" <john.fastabend@...il.com>
Subject: Re: [patch net-next v2 5/8] Introduce sample tc action

On Wed, Jan 04, 2017 at 11:01:46AM +0000, Yotam Gigi wrote:
> >-----Original Message-----
> >From: Simon Horman [mailto:simon.horman@...ronome.com]
> >Sent: Wednesday, January 04, 2017 12:43 PM
> >To: Yotam Gigi <yotamg@...lanox.com>
> >Cc: Roopa Prabhu <roopa@...ulusnetworks.com>; Jiri Pirko <jiri@...nulli.us>;
> >netdev@...r.kernel.org; davem@...emloft.net; Ido Schimmel
> ><idosch@...lanox.com>; Elad Raz <eladr@...lanox.com>; Nogah Frankel
> ><nogahf@...lanox.com>; Or Gerlitz <orlitz@...lanox.com>;
> >jhs@...atatu.com; geert+renesas@...der.be; stephen@...workplumber.org;
> >xiyou.wangcong@...il.com; linux@...ck-us.net; john.fastabend@...il.com
> >Subject: Re: [patch net-next v2 5/8] Introduce sample tc action
> >
> >On Wed, Nov 16, 2016 at 04:26:44PM +0000, Yotam Gigi wrote:
> >> >-----Original Message-----
> >> >From: Roopa Prabhu [mailto:roopa@...ulusnetworks.com]
> >> >Sent: Wednesday, November 16, 2016 6:15 PM
> >> >To: Jiri Pirko <jiri@...nulli.us>
> >> >Cc: netdev@...r.kernel.org; davem@...emloft.net; Yotam Gigi
> >> ><yotamg@...lanox.com>; Ido Schimmel <idosch@...lanox.com>; Elad Raz
> >> ><eladr@...lanox.com>; Nogah Frankel <nogahf@...lanox.com>; Or Gerlitz
> >> ><ogerlitz@...lanox.com>; jhs@...atatu.com; geert+renesas@...der.be;
> >> >stephen@...workplumber.org; xiyou.wangcong@...il.com; linux@...ck-
> >us.net;
> >> >john.fastabend@...il.com; simon.horman@...ronome.com
> >> >Subject: Re: [patch net-next v2 5/8] Introduce sample tc action
> >> >
> >> >On 11/14/16, 7:00 AM, Jiri Pirko wrote:
> >> >> From: Yotam Gigi <yotamg@...lanox.com>
> >> >>
> >> >> This action allow the user to sample traffic matched by tc classifier.
> >> >> The sampling consists of choosing packets randomly, truncating them,
> >> >> adding some informative metadata regarding the interface and the original
> >> >> packet size and mark them with specific mark, to allow further tc rules to
> >> >> match and process. The marked sample packets are then injected into the
> >> >> device ingress qdisc using netif_receive_skb.
> >> >>
> >> >> The packets metadata is packed using the ife encapsulation protocol, and
> >> >> the outer packet's ethernet dest, source and eth_type, along with the
> >> >> rate, mark and the optional truncation size can be configured from
> >> >> userspace.
> >> >>
> >> >> Example:
> >> >> To sample ingress traffic from interface eth1, and redirect the sampled
> >> >> the sampled packets to interface dummy0, one may use the commands:
> >> >>
> >> >> tc qdisc add dev eth1 handle ffff: ingress
> >> >>
> >> >> tc filter add dev eth1 parent ffff: \
> >> >> 	   matchall action sample rate 12 mark 17
> >> >
> >> >Yotham, I am guessing in the future if one does not want to use mark,
> >> >the sample api is extensible to allow for other actions to be added.
> >> >This is from the general concern we had on using mark: some may not want to
> >use
> >> >mark.
> >> >As long as the api is extensible to allow an alternate way in the future,
> >> > we should be good. (We would prefer to not go down the path of having to
> >> >introduce
> >> >a new  'action sample' if this limits us in some way).
> >>
> >> The code is extensible  - if one does want to add another action to sample, he
> >> totally can :)
> >>
> >> By the way, one of the reasons we removed the patches for now is that we
> >> consider adding mirroring functionality to it instead of heaving two tc-rules.
> >
> >Hi Yotham,
> >
> >I see that this action combines several discrete sub-actions, some of which
> >duplicate functionality present in existing actions:
> >
> >* sample
> >* truncate
> >* IFE encapsulation with metadata
> >* mark
> >* output (proposed)
> >
> >I wonder if it would make sense to provided a mechanism whereby sampled
> >packets can be passed on to other actions. Something similar to the
> >existing pipe mechanism but allowing for the sampled and the original packets
> >to continue to be processed separately.
> >
> >If so, it may be worth white-listing actions for which sampled packets are
> >known to work well to limit the scope for unforseen side effects.
> 
> Hi Simon,
> 
> The patches were removed and we intend to propose a different implementation for
> that, using a dedicated sampling netlink channel, thus removing the need to
> mark, mirror and IFE-pack the packets.
> 
> We intend to send in the next few weeks, so I guess you can comment on the new
> version.

Hi Yotham,

thanks, I look forward to seeing the new approach.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ