lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 5 Sep 2017 16:23:30 +0200
From:   Jiri Pirko <jiri@...nulli.us>
To:     Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
Cc:     netdev@...r.kernel.org, roopa@...ulusnetworks.com,
        dsa@...ulusnetworks.com, xiyou.wangcong@...il.com, jhs@...atatu.com
Subject: Re: [RFC net-next] net: sch_clsact: add support for global per-netns
 classifier mode

Tue, Sep 05, 2017 at 04:07:51PM CEST, jiri@...nulli.us wrote:
>Tue, Sep 05, 2017 at 02:48:21PM CEST, nikolay@...ulusnetworks.com wrote:
>>Hi all,
>>This RFC adds a new mode for clsact which designates a device's egress
>>classifier as global per netns. The packets that are not classified for
>>a particular device will be classified using the global classifier.
>>We have needed a global classifier for some time now for various
>>purposes and setting the single bridge or loopback/vrf device as the
>>global classifier device is acceptable for us. Doing it this way avoids
>>the act/cls device and queue dependencies.
>>
>>This is strictly an RFC patch just to show the intent, if we agree on
>>the details the proposed patch will have support for both ingress and
>>egress, and will be using a static key to avoid the fast path test when no
>>global classifier has been configured.
>>
>>Example (need a modified tc that adds TCA_OPTIONS when using q_clsact):
>>$ tc qdisc add dev lo clsact global
>>$ tc filter add dev lo egress protocol ip u32 match ip dst 4.3.2.1/32 action drop
>>
>>the last filter will be global for all devices that don't have a
>>specific egress_cl_list (i.e. have clsact configured).
>>
>>Any comments and thoughts would be greatly appreciated.

For the record, I think this "global" thing is a hack similar to
cls_u32 shared hashlists.


>
>Did you see my shared blocks work? I believe that it should resolve your
>usecase, in a generic way. You just have to bind the devices you need to
>the shared block. Please see the RFC:
>
>https://www.spinics.net/lists/netdev/msg444067.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ