lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 3 Jan 2019 16:25:58 +0100
From:   Bartek Kois <>
To:     Cong Wang <>
Cc:     Linux Kernel Network Developers <>
Subject: Re: Problem with queuing vlan tagged packets after migration from
 3.16.0 to 4.9.0

1. What exactly caused this change in the kernel?
2. I don`t understand why adding VLAN tag, which is just 4  additional 
bytes to the passing packet make it impossible to classify.
3. This whole thing makes the QoS under Linux routers hard to configure 
in scenarios with more than one VLAN which is pretty much every slightly 
bigger router nowadays especially if we use IFB and hashing filters. Is 
there any walkaround for that problem?

Best regards
Bartek Kois

W dniu 03.01.2019 o 04:30, Cong Wang pisze:
> On Tue, Jan 1, 2019 at 11:46 AM Bartek Kois <> wrote:
>> Hi
>> Yes it did work since I remember (like around 2.4.x) and it changed
>> since I moved from Debian 8 to 9. I would appreciate fixing that in the
>> future beacuse it is essential for queueing traffic on the routers, but
>> the question is why these filters don`t work in that case:
>>       tc filter add dev $LAN_ETH parent 1:0 protocol ip prio 4 u32 match
>> u32 0x0a000c08 0xffffffff at 20 classid 1:2001      # for ip
>> address
>>       tc filter add dev $LAN_ETH parent 1:0 protocol ip prio 4 u32 match
>> u32 0x0a000c09 0xffffffff at 20 classid 1:2002      # for ip
>> address
>>       tc filter add dev $LAN_ETH parent 1:0 protocol ip prio 4 u32 match
>> u32 0x0a000c10 0xffffffff at 20 classid 1:2003      # for ip
>> address
>> I`ve changed "at 16" which works without vlan tags to "at 20" to take
>> vlan tag into account.
> Yeah, this confirms my speculation.
> The problem is essentially a design flaw of u32 filter, the IP header
> and TCP header offsets are never fixed, for example VLAN tagging and
> IP options. What's more, it is not easy for user-space to learn the offset
> for different packets as it requires to parse into each packets.
> I don't know whether we can fix this either, VLAN call path probably
> already makes assumptions on the current skb->data position, if
> we "fix" it for u32, it would probably break other things.

Powered by blists - more mailing lists