| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Jan 2019 15:11:03 +0100
From: Martin Olsson <martin.olsson+netdev@...torsecurity.com>
To: netdev <netdev@...r.kernel.org>
Subject: tc continue vs reclassify problem + no rule hit stats
Why are the two filters 200 and 201 skipped when using 'continue' but
working fine with 'reclassify'?
Here's what I do:
First the working example:
tc qdisc add dev $1 ingress
tc filter add dev $1 parent ffff: prio 100 protocol 802.1Q matchall
action vlan pop reclassify
tc filter add dev $1 parent ffff: prio 200 protocol ip u32 match
ip src 10.10.10.0/24 action drop
tc filter add dev $1 parent ffff: prio 201 protocol ip u32 match
ip dst 10.10.10.0/24 action drop
tc filter add dev $1 parent ffff: prio 999 protocol all matchall
action mirred egress redirect dev mon0
rule 100:
Match packets for proto 802.1q.
For all matching packets, strip the vlan header.
Then reclassify the packet.
rule 200 & 201:
Match packets for proto ip.
For all matching packets, drop 10.10.10.x.
rule 999:
Debugging rule. Mirror the remaining packets to mon0.
I replay 400 000 packets to this interface.
100% of the packets are VLAN-tagged.
26 036 of the packets are to/from 10.10.10.x.
1 604 of the packets are non-IP.
Stats after this:
# tc -s -d filter show dev enp1s0f0 root
filter parent ffff: protocol 802.1Q pref 100 matchall
filter parent ffff: protocol 802.1Q pref 100 matchall handle 0x1
action order 1: vlan pop reclassify ########## reclassify #####
index 1 ref 1 bind 1 installed 245805 sec used 862 sec
Action statistics:
Sent 218959672 bytes 400000 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
### Correct. All received 400 000 packets were .1q and are now popped.
filter parent ffff: protocol ip pref 200 u32
filter parent ffff: protocol ip pref 200 u32 fh 800: ht divisor 1
filter parent ffff: protocol ip pref 200 u32 fh 800::800 order 2048
key ht 800 bkt 0 terminal flowid ??? (rule hit 398396 success 15568)
match 0a0a0a00/ffffff00 at 12 (success 15568 )
action order 1: gact action drop
random type none pass val 0
index 2 ref 1 bind 1 installed 245805 sec used 862 sec
Action statistics:
Sent 17295008 bytes 15568 pkt (dropped 15568, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
### Correct. Out of the 400 000 reclassified (and now vlan-free)
packets, 1 604 are non-IP, so 398 396 are IP packets and 15 568 match
src 10.10.10.x.
filter parent ffff: protocol ip pref 201 u32
filter parent ffff: protocol ip pref 201 u32 fh 801: ht divisor 1
filter parent ffff: protocol ip pref 201 u32 fh 801::800 order 2048
key ht 801 bkt 0 terminal flowid ??? (rule hit 382828 success 10468)
match 0a0a0a00/ffffff00 at 16 (success 10468 )
action order 1: gact action drop
random type none pass val 0
index 3 ref 1 bind 1 installed 245805 sec used 862 sec
Action statistics:
Sent 1055432 bytes 10468 pkt (dropped 10468, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
### Correct. Out of the remaining 398396-15568dropped=382828 packets,
382 828 of them are IP packets and 10 468 match dst 10.10.10.x.
filter parent ffff: protocol all pref 999 matchall
filter parent ffff: protocol all pref 999 matchall handle 0x1
action order 1: mirred (Egress Redirect to device mon0) stolen
index 1 ref 1 bind 1 installed 245805 sec used 862 sec
Action statistics:
Sent 200609232 bytes 373964 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
### Correct. The remaining 398396-15568-10468+1604=373964 packets are mirrored.
Now I reboot the test-machine and do one single change, I use
'continue' instead of 'reclassify' on rule 100:
tc qdisc add dev $1 ingress
tc filter add dev $1 parent ffff: prio 100 protocol 802.1Q matchall
action vlan pop continue
tc filter add dev $1 parent ffff: prio 200 protocol ip u32 match
ip src 10.10.10.0/24 action drop ^^^^^^^^
tc filter add dev $1 parent ffff: prio 201 protocol ip u32 match
ip dst 10.10.10.0/24 action drop
tc filter add dev $1 parent ffff: prio 999 protocol all matchall
action mirred egress redirect dev mon0
I then replay the same 400 000 tagged packets again.
I assume that after the received packets are vlan-popped (in rule
100), the classification process should *continue* on the next rule
200.
But neither rule 200 nor 201 match. They get "rule hit 0".
# tc -s -d filter show dev enp1s0f0 root
filter parent ffff: protocol 802.1Q pref 100 matchall
filter parent ffff: protocol 802.1Q pref 100 matchall handle 0x1
action order 1: vlan pop continue ########## continue #####
index 1 ref 1 bind 1 installed 441 sec used 75 sec
Action statistics:
Sent 218959672 bytes 400000 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
filter parent ffff: protocol ip pref 200 u32
filter parent ffff: protocol ip pref 200 u32 fh 800: ht divisor 1
filter parent ffff: protocol ip pref 200 u32 fh 800::800 order 2048
key ht 800 bkt 0 terminal flowid ??? (rule hit 0 success 0)
match 0a0a0a00/ffffff00 at 12 (success 0 )
action order 1: gact action drop
random type none pass val 0
index 2 ref 1 bind 1 installed 441 sec used 441 sec
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
filter parent ffff: protocol ip pref 201 u32
filter parent ffff: protocol ip pref 201 u32 fh 801: ht divisor 1
filter parent ffff: protocol ip pref 201 u32 fh 801::800 order 2048
key ht 801 bkt 0 terminal flowid ??? (rule hit 0 success 0)
match 0a0a0a00/ffffff00 at 16 (success 0 )
action order 1: gact action drop
random type none pass val 0
index 3 ref 1 bind 1 installed 441 sec used 441 sec
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
filter parent ffff: protocol all pref 999 matchall
filter parent ffff: protocol all pref 999 matchall handle 0x1
action order 1: mirred (Egress Redirect to device mon0) stolen
index 1 ref 1 bind 1 installed 441 sec used 75 sec
Action statistics:
Sent 218959672 bytes 400000 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
In the debug-rule 999 (and on the mirror destination interface) I see
all 400 000 untagged packets.
I expected 400000-15568-10468=373 964 as in the previous example.
Why do I need to do a full reclassification?
My best guess/theory:
The received packet is only classified *once*, and some smart function
mark which rules match the protocol criteria.
In my case I receive a 802.1q packet, so only rules 100 (match
protocol 802.1Q) and 999 (match protocol all) are marked for
evaluation.
I use the generic kernel and tools from a Debian 9.
# uname -a
Linux foobar 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
I've compiled nothing.
I've set no sysctl tweaks.
PS:
Another question:
In the 'reclassify' scenario, I want to be able to see that rule 100
has actually been hit 800 000 times (with only 400 000 successes), and
rule 999 was hit 373 964 with 373 964 successes.
But I'm missing the string "(rule hit 800000 success 400000)" in this output:
# tc -s -d filter show dev enp1s0f0 root
filter parent ffff: protocol 802.1Q pref 100 matchall
filter parent ffff: protocol 802.1Q pref 100 matchall handle 0x1
####no hit stats here####
action order 1: vlan pop reclassify
index 1 ref 1 bind 1 installed 245805 sec used 862 sec
Action statistics:
Sent 218959672 bytes 400000 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Why don't the sections for rules 100 and 999 show any rule hit statistics?
Powered by blists - more mailing lists