lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 12 Dec 2018 21:52:36 +0100
From:   Florian Westphal <fw@...len.de>
To:     Eric Dumazet <eric.dumazet@...il.com>
Cc:     Florian Westphal <fw@...len.de>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next 02/13] sk_buff: add skb extension infrastructure

Eric Dumazet <eric.dumazet@...il.com> wrote:
> > If you prefer that, ok, but I don't see why we can't unify them behind
> > a single layer?
> 
> Well, for a start we do not use nf_brifge or secpath.

Then the extension framework isn't built and the result
is exactly the same as before these patches: helpers
turn into empty inline stubs.

If its built, sk_buff size is reduced by up to one pointer,
and the added one isn't initialised at allocation time.

sk_buff layout with the extension patches is almost same
as with XFRM=n BRIDGE_NF=n (because nf_bridge and sp pointers
get removed), there is only one additional pointer at the end,
not inited at alloc time.  The other new member fills a hole.

> XDP is all about not unifying because unifying has a cost.
> 
> Do we really want to slow down the stack just because MPTCP is coming ?

I don't want to slow down the stack.  All places that gain a helper call
do so instead of the nf_bridge/secpath one.  They only expand into code
if at least one of secpath or nf_bridge are built in.
Both struct secpath and nf_bridge have their refcounts removed, so no
additional reference counts are added.

If you still think this is proposal is a bad idea, ok, let me know
and I will stop working on this.

MPTCP can then just add skb->cb2[], but neither nf_bridge nor secpath can
use it.

If not, I will send another iteration that just allocates the entire
extension space if first extension is added, it simplifies allocation
handling a little.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ