lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 10 Jul 2017 20:51:06 +0200
From:   Jiri Pirko <jiri@...nulli.us>
To:     netdev@...r.kernel.org
Cc:     davem@...emloft.net, jhs@...atatu.com, xiyou.wangcong@...il.com,
        edumazet@...gle.com, stephen@...workplumber.org, jbenc@...hat.com,
        mlxsw@...lanox.com, andrew@...n.ch,
        vivien.didelot@...oirfairelinux.com, f.fainelli@...il.com,
        john.fastabend@...il.com, alexander.h.duyck@...el.com,
        daniel@...earbox.net, ogerlitz@...lanox.com, mrv@...atatu.com
Subject: [patch net-next RFC 0/4] net: sched: allow qdiscs to share filter block instances

From: Jiri Pirko <jiri@...lanox.com>

Currently the filters added to qdiscs are independent. So for example if you
have 2 netdevices and you create ingress qdisc on both and you want to add
identical filter rules both, you need to add them twice. This patchset
makes this easier and mainly saves resources allowing to share all filters
within a qdisc - I call it a "filter block". Also this helps to save
resources when we do offload to hw for example to expensive TCAM.

So back to the example. First, we create 2 qdiscs. Both will share
block number 22. "22" is just an identification. If we don't pass any
block number, a new one will be generated by kernel:

$ tc qdisc add dev ens7 ingress block 22
                                ^^^^^^^^
$ tc qdisc add dev ens8 ingress block 22
                                ^^^^^^^^

Now if we list the qdiscs, we will see the block index in the output:
qdisc fq_codel 0: dev ens7 root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn 
 Sent 9014 bytes 99 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
  maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc ingress ffff: dev ens7 parent ffff:fff1 block 22 
                                              ^^^^^^^^
 Sent 4592 bytes 58 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
qdisc fq_codel 0: dev ens8 root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn 
 Sent 17022 bytes 307 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
  maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc ingress ffff: dev ens8 parent ffff:fff1 block 22 
                                              ^^^^^^^^
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 


Now we can add filter to any of qdiscs sharing the same block:

$ tc filter add dev ens7 parent ffff: protocol ip pref 25 flower dst_ip 192.168.0.0/16 action drop


We will see the same output if we list filters for ens7 and ens8, including stats:

$ tc -s filter show dev ens7 root
filter parent ffff: protocol ip pref 25 flower 
filter parent ffff: protocol ip pref 25 flower handle 0x1 
  eth_type ipv4
  dst_ip 192.168.1.0/24
        action order 1: gact action drop
         random type none pass val 0
         index 3 ref 1 bind 1 installed 10201 sec used 10150 sec
        Action statistics:
        Sent 4200 bytes 50 pkt (dropped 50, overlimits 0 requeues 0) 
        backlog 0b 0p requeues 0 

$ tc -s filter show dev ens8 root
filter dev ens7 parent ffff: protocol ip pref 25 flower 
filter dev ens7 parent ffff: protocol ip pref 25 flower handle 0x1 
  eth_type ipv4
  dst_ip 192.168.1.0/24
        action order 1: gact action drop
         random type none pass val 0
         index 3 ref 1 bind 1 installed 10202 sec used 10152 sec
        Action statistics:
        Sent 4200 bytes 50 pkt (dropped 50, overlimits 0 requeues 0) 
        backlog 0b 0p requeues 0 


Issues:
- tp->q is set by the device used to add the filter. That has to be resolved.
  Impacts the dump (as you can see above)

Jiri Pirko (4):
  net: sched: introduce support for multiple filter chain pointers
    registration
  net: sched: intruduce qdisc_net helper
  net: sched: introduce shared filter blocks infrastructure
  net: sched: allow ingress and clsact qdiscs to share filter blocks

 include/net/pkt_cls.h          |  22 +++-
 include/net/pkt_sched.h        |   7 ++
 include/net/sch_generic.h      |   4 +-
 include/uapi/linux/pkt_sched.h |  12 +++
 net/sched/cls_api.c            | 240 +++++++++++++++++++++++++++++++++++++----
 net/sched/sch_ingress.c        | 107 ++++++++++++++++--
 6 files changed, 362 insertions(+), 30 deletions(-)

-- 
2.9.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ