lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <F5E3D9FC-F7FC-42AB-8F39-717C3E040402@darbyshire-bryant.me.uk>
Date:   Thu, 24 May 2018 04:52:16 +0000
From:   Kevin Darbyshire-Bryant <kevin@...byshire-bryant.me.uk>
To:     Toke Høiland-Jørgensen <toke@...e.dk>
CC:     David Miller <davem@...emloft.net>,
        Cake List <cake@...ts.bufferbloat.net>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>,
        "netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>
Subject: Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to
        packet classifier



> On 23 May 2018, at 23:40, Toke Høiland-Jørgensen <toke@...e.dk> wrote:
> 
<snip>
> 
> Hmm, and we still have an issue with ingress filtering (where cake is
> running on an ifb interface). That runs pre-NAT in the conntrack case,
> and we can't do the RX trick. Here we do the lookup manually in
> conntrack (and this part is actually what brings in most of the
> dependencies). Any neat tricks up your sleeve for this case? :)

I wonder here if our terminology with ‘ingress’ is causing confusion.  For avoidance of doubt:

Typical use case of cake on LAN/WAN router requires two instances.  One instance (the egress) is on the WAN interface itself.  It is post conntrack and hence uses skb->nfct to work out the real pre-nat source address of the LAN hosts.

Since we cannot apply this qdisc to the ingress of our WAN interface we use an IFB to mirror the ingress packets, and then use a cake instance on the ifb interface on its egress path to in essence control the ingress traffic.

Cake has two modes, the normal ‘egress’ mode which is designed to be used when controlling egress traffic output, and shapes post any dropped packets.  ‘ingress’ mode is designed to be used on the egress of our ingress IFB, where the shaper counts all packets used (well they got here!) even if we decide to drop them a bit later.

The ifb positioned cake has the additional fun factor that the conntrack field hasn’t yet been filled in, so the qdisc has to go looking in the conntrack tables itself to see if any NATting has taken place and balance LAN host fairness based on that.

As far as I understand it, the flow dissector doesn’t obviously help with working out the pre-NAT addressing as the flow has already been mangled in the egress case, and is awaiting mangling on the ingress case.


Kevin

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ