lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a90fed1e-fa40-5047-e618-325487f7319e@gmail.com>
Date:   Thu, 29 Nov 2018 07:47:07 -0800
From:   John Fastabend <john.fastabend@...il.com>
To:     Pablo Neira Ayuso <pablo@...filter.org>, netdev@...r.kernel.org
Cc:     davem@...emloft.net, thomas.lendacky@....com, f.fainelli@...il.com,
        ariel.elior@...ium.com, michael.chan@...adcom.com,
        santosh@...lsio.com, madalin.bucur@....com,
        yisen.zhuang@...wei.com, salil.mehta@...wei.com,
        jeffrey.t.kirsher@...el.com, tariqt@...lanox.com,
        saeedm@...lanox.com, jiri@...lanox.com, idosch@...lanox.com,
        jakub.kicinski@...ronome.com, peppe.cavallaro@...com,
        grygorii.strashko@...com, andrew@...n.ch,
        vivien.didelot@...oirfairelinux.com, alexandre.torgue@...com,
        joabreu@...opsys.com, linux-net-drivers@...arflare.com,
        ganeshgr@...lsio.com, ogerlitz@...lanox.com,
        Manish.Chopra@...ium.com, marcelo.leitner@...il.com
Subject: Re: [PATCH net-next,v4 00/12] add flow_rule infrastructure

On 11/28/18 6:22 PM, Pablo Neira Ayuso wrote:
> Hi,
> 
> This patchset is another iteration to introduce an in-kernel intermediate
> representation (IR) to express ACL hardware offloads [1] [2] [3].
> 

Hi,

Also wanted to add. In an earlier thread it was mentioned this could be
used for other offload rule infrastructures specifically u32 was
mentioned. I don't think this is actually possible on the flow_rule
side. This set uses basically an enum based key system where enums
such as FLOW_DISSECTOR_KEY_* identify the field in the packet. For
every field we want to match a new key is needed. But the u32 classifier
defines fields using offset/mask and a parse graph. They do not seem
compatible to me so in the end this unifies ethtool and flower only.
Did I get this right?

So would it be better to simply map ethtool onto flower vs defining
a new one? Patch 1 seems to be pretty light-weight so maybe rather
than calling it a new IR we just need some helper routines for
drivers to work with.

Probably a more detailed cover letter explaining motivation
and any future work would help (me at least) understand the direction.
I see netfilter offload was mentioned at one point so maybe that is
the motivation that makes it more clear why flower API today is
insufficient. Mostly curious at this point I see Jiri and Florian
both reviewed it already.

Thanks,
John

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ