lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 23 Jan 2019 11:29:49 +0000
From:   Guy Shattah <sguy@...lanox.com>
To:     Guy Shattah <sguy@...lanox.com>,
        Marcelo Leitner <mleitner@...hat.com>,
        Aaron Conole <aconole@...hat.com>,
        John Hurley <john.hurley@...ronome.com>,
        Simon Horman <simon.horman@...ronome.com>,
        Justin Pettit <jpettit@....org>,
        Gregory Rose <gvrose8192@...il.com>,
        Eelco Chaudron <echaudro@...hat.com>,
        Flavio Leitner <fbl@...hat.com>,
        Florian Westphal <fwestpha@...hat.com>,
        Jiri Pirko <jiri@...nulli.us>, Rashid Khan <rkhan@...hat.com>,
        Sushil Kulkarni <sukulkar@...hat.com>,
        Andy Gospodarek <andrew.gospodarek@...adcom.com>,
        Roi Dayan <roid@...lanox.com>,
        Yossi Kuperman <yossiku@...lanox.com>,
        Or Gerlitz <ogerlitz@...lanox.com>,
        Rony Efraim <ronye@...lanox.com>,
        "davem@...emloft.net" <davem@...emloft.net>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: [RFC]  Connection Tracking Offload netdev RFC v1.0, part 1/2: command
 line + implementation

--------------------------------------------------------------------------
Connection Tracking Offload netdev RFC v1.0 Part 1/2  - TC with  Connection Tracking - command line + implementation
--------------------------------------------------------------------------

OVS recirculation ID is to be translated to TC chain, as described in https://www.netdevconf.org/2.2/papers/efraim-extendtctoct-talk.pdf

------------------------------------------------------------------------------------
CT Matches:
------------------------------------------------------------------------------------
The ct match acts on ct_state bits or ct variables which were modified as a result from a connection tracking action.

Some of the information can be extacted directly from struct nf_conn and the rest of the information could be taken by using
conntrack_mt...() [/net/netfilter/xt_conntrack.c] 


1.  ct_state  - a new variable
    The ct_state match is used to test result of connection tracking.
    The bits are set or unset according to the results of the connection tracking module.

The following Match able ct_state items are supported:
*   ±trk - Tracked - Been through the connection tracker 
*   ±new – a new connection
*   ±est - Established connection 
*   ±dnat - Packet’s source address/port was mangled by NAT. 
*   ±snat - Packet’s destination address/port was mangled by NAT.
*   ±inv - Invalid packet
*   ±rel – Related  to an existing connection
*   ±rpl  - Reply: Connection must be established

Example #1: "tc filter add dev eth5 protocol ip parent ffff: chain 100 flower ct_state 
       +trk +est -dnat action mirred egress redirect dev eth6"

2.  three additional integer variables.
These variables, which can be set from within the ct_action, are introduced: 
     ct_zone - to commit the connection in (u16) Logically separate connection tracking 
               table/Multi-tenancy 
     ct_mark - Attach metadata to particular connections (u32) 
     ct_label – similar to mark (128 bits)  

Example #2:  "tc filter add dev eth5 protocol ip parent ffff: chain 100 flower  
                  ct_state +trk +est ct_label 10 ct_zone 9 action drop "

Complete list of the flags and their  description can be found at:
http://www.openvswitch.org/support/dist-docs/ovs-fields.7.txt


------------------------------------------------------------------------------------
CT actions:
------------------------------------------------------------------------------------
The ct_action action sends packet to ConnTrack ( nf_conntrack_in() method) and then updates ct_state bits according to the result from connection tracking.


[1] CT Action has the following possible arguments:
1. commit: Commit the connection to the connection tracking module which will be
      stored beyond the lifetime of packet in the pipeline.
2. force: The force flag may be used in addition to commit flag to effectively terminate
     the existing connection and start a new one in the current direction.
3.  chain = K (chain is similar to ct 'table' in OVS syntax) :  Clone packet to send to
      connection tracker. When the connection tracker is finished, resume processing
       in chain K for that packet. The original packet continues right after the ct(...) action.
4.  Set variable: ct_zone, ct_mark, ct_label (see description above)
    Example #3:: "tc .... action ct ct_zone 7 commit ct_label 0x0123456789ABCDEF0000111222"
5.  NAT: Specifies the address and port translation for the connection being tracked.
      Example #4:
      "ct_action nat src 10.0.0.1 10.1.1.0" rewrite source ip+port from the list.

      Example #5: "tc ... action ct nat src 10.0.0.1 10.1.1.0" rewrite source ip+port
  from the list.
      Example #6: "tc ... action ct nat auto" rewrite packets automatically from
  saved kernel NAT list
  
-----

[2] CT action also has 3 new parameters
Three new variables which can be set from within the ct_action.
1. ct_zone: 16 bit
2. ct_mark: 32bit
3. ct_label: 128bit

Example #7: tc..... action ct ct_zone 7 commit ct_label x0123456789ABCDEF0000111222 


------

[3] NAT action. 
Supporting
(1) specific NAT for source
(2) specific NAT for destination
(3) automatic.

TC, when instructed when and how to do so, will do a NAT translation by using the kernel NAT module. 
Resulting in a modified skb returning to the following TC chain for further  processing

Example #8: "tc filter add dev eth5 protocol ip parent ffff: chain 100 flower action 
          ct commit nat src 10.0.0.0 10.0.0.255"
Commit a new connection to Conntrack and replace NAT the source ip address

Example #9: "tc filter add dev eth5 protocol ip parent ffff: chain 100 flower action ct 
             commit nat auto"
Commit a new connection to Conntrack and replace NAT the source ip address

Additional examples can be found at OVS NAT patch comments:
https://lwn.net/Articles/674868/


[3] match on newly added variables ( ct_zone, ct_mark, ct_label) Example #10: "tc ct_zone 3 ct_mark 0x333 ...."

----------------------------------------
Connection-Tracking action:
----------------------------
TC data path calls Connection Tracking  nf_conntrack_in() method with skb which returns connTrack result inside skb->_nfct which is of type struct nf_conn.

Connection-Tracking Match:
----------------------------
connection tracking match can be done using conntrack_mt...() [/net/netfilter/xt_conntrack.c] calls which can be used to match connection tracking information. 

Connection-Tracking NAT:
-------------------------------
NAT implementation details are the same as in OVS. As described in:

* https://lwn.net/Articles/674868/
* https://lwn.net/Articles/671459/
* http://www.openvswitch.org/support/ovscon2014/17/1030-conntrack_nat.pdf


Required OVS changes
-------------------------------
1. OVS has to be modified to send Connection-tracking datapath messages to TC 2. OVS datapath has to be enhanced to support enforcement of window-validation

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ