lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Jan 2019 21:33:18 +0800 From: Tonghao Zhang <xiangxia.m.yue@...il.com> To: Or Gerlitz <gerlitz.or@...il.com> Cc: Or Gerlitz <ogerlitz@...lanox.com>, Saeed Mahameed <saeedm@...lanox.com>, Leon Romanovsky <leonro@...lanox.com>, Linux Netdev List <netdev@...r.kernel.org> Subject: Re: [PATCH] net: mlx5: allow default ip_proto to offload On Thu, Jan 17, 2019 at 8:58 PM Or Gerlitz <gerlitz.or@...il.com> wrote: > > On Thu, Jan 17, 2019 at 11:28 AM <xiangxia.m.yue@...il.com> wrote: > > From: Tonghao Zhang <xiangxia.m.yue@...il.com> > > with the current code, if a modification of the ip header is required > and the ip protocol is not one of tcp, udp or icmp - we err > > This is done in purpose, and we don't want to allow offloading > this header re-write for unknown ip protocol > > > Allow default ip_proto to offload, so icmp, tcp, and udp > > will match the flow as show below, otherwise we must type the > > ip_proto for icmp, tcp and udp respectively. > > > > $ tc filter add dev netdev01_rep parent ffff: protocol ip prio 1 \ > > flower skip_sw dst_ip 3.3.3.3 \ > > action pedit ex munge ip dst set 192.168.1.100 pipe \ > > action csum ip pipe \ > > action mirred egress redirect dev netdev02_rep > > this flow specify the ip protocol (1 which is icmp) > > > Signed-off-by: Tonghao Zhang <xiangxia.m.yue@...il.com> > > --- > > drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > > index 2ee377a..2a29428 100644 > > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > > @@ -2219,7 +2219,7 @@ static bool modify_header_match_supported(struct mlx5_flow_spec *spec, > > } > > > > ip_proto = MLX5_GET(fte_match_set_lyr_2_4, headers_v, ip_protocol); > > - if (modify_ip_header && ip_proto != IPPROTO_TCP && > > + if (modify_ip_header && ip_proto != 0 && ip_proto != IPPROTO_TCP && > > ip_proto != IPPROTO_UDP && ip_proto != IPPROTO_ICMP) { > > NL_SET_ERR_MSG_MOD(extack, > > "can't offload re-write of non TCP/UDP"); > > but under your patch we will not err for unknown ip protocol > > I have lost you > > BTW - I plan to change the polarity of the check here with the below > patch - please see if it helps your use-case: > > commit 09b972083266fa8cfe2f24e1c264905d5cd021ed > Author: Or Gerlitz <ogerlitz@...lanox.com> > Date: Wed Oct 31 18:42:21 2018 +0200 > > net/mlx5e: Allow TC offload of IP header re-write for more protocols > > So far we allowed re-writing of IP header only for three protocols > (tcp, udp and icmpv4). This is too limiting, e.g for cases where > users want to apply offloading of NAT. > > Take a complimentary approach and allow this for wider set of IP > protocols -- all of them except for three (icmpv6, sctp and udp-lite). > For these protos the current HW isn't capable to properly adjust the > l4 checksum while doing the modification <--- UPDATE - we probably > can do icmpv6 > > Signed-off-by: Or Gerlitz <ogerlitz@...lanox.com> > > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > index 608025ca5c04..affb523e0e35 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > @@ -2167,11 +2167,11 @@ static bool > modify_header_match_supported(struct mlx5_flow_spec *spec, > } > > ip_proto = MLX5_GET(fte_match_set_lyr_2_4, headers_v, ip_protocol); > - if (modify_ip_header && ip_proto != IPPROTO_TCP && > - ip_proto != IPPROTO_UDP && ip_proto != IPPROTO_ICMP) { > + if (modify_ip_header && (ip_proto == IPPROTO_ICMPV6 || > + ip_proto == IPPROTO_SCTP || ip_proto == IPPROTO_UDPLITE)) { > NL_SET_ERR_MSG_MOD(extack, > - "can't offload re-write of non TCP/UDP"); > - pr_info("can't offload re-write of ip proto %d\n", ip_proto); > + "can't offload this re-write of IP > addresses"); > + pr_info("can't offload re-write of IP addrs for ip > proto %d\n", ip_proto); > return false; > } We should consider ip_proto == 0, in some case, we only modify dest ip or src ip.
Powered by blists - more mailing lists