| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Jan 2019 00:32:29 -0200
From: Marcelo Ricardo Leitner <mleitner@...hat.com>
To: Guy Shattah <sguy@...lanox.com>,
Marcelo Leitner <mleitner@...hat.com>,
Aaron Conole <aconole@...hat.com>,
John Hurley <john.hurley@...ronome.com>,
Simon Horman <simon.horman@...ronome.com>,
Justin Pettit <jpettit@....org>,
Gregory Rose <gvrose8192@...il.com>,
Eelco Chaudron <echaudro@...hat.com>,
Flavio Leitner <fbl@...hat.com>,
Florian Westphal <fwestpha@...hat.com>,
Jiri Pirko <jiri@...nulli.us>, Rashid Khan <rkhan@...hat.com>,
Sushil Kulkarni <sukulkar@...hat.com>,
Andy Gospodarek <andrew.gospodarek@...adcom.com>,
Roi Dayan <roid@...lanox.com>,
Yossi Kuperman <yossiku@...lanox.com>,
Or Gerlitz <ogerlitz@...lanox.com>,
Rony Efraim <ronye@...lanox.com>,
"davem@...emloft.net" <davem@...emloft.net>
Cc: netdev@...r.kernel.org
Subject: [RFC PATCH 0/6] Initial, PoC implementation of sw datapath of tc+CT
We have been working on the sw datapath of tc+CT. We may not have much
yet, but this should help to shed some light on what is needed,
sw-datapath-wise speaking. Lets grease the wheels!
Some key features are still missing like proper handling of conntrack
labels, indexing all CT entries on a given act_ct action (so that we can
purge them if the action is removed) and properly match on ct_state.
All in all, if anything in there is not aligned with the planning RFC PATCH,
is because it is still in progress, but fell free to highlight it
anyway.
A LOT more will be needed for handling the offloading.
With these patches, this construction:
./tc filter del dev veth1 ingress
./tc filter add dev veth1 ingress proto ip \
matchall \
action ct zone 1 commit \
action goto chain 100
./tc filter add dev veth1 ingress proto ip chain 100 \
flower ct_zone 2 \
action drop
./tc filter add dev veth1 ingress proto ip chain 100 \
flower ct_zone 1 \
action drop
works, in the sense that replaying a tcp packet gets dropped by the last
rule on chain 100, while the first one misses it. Regarding the goto
chain used here, yes, that action has to be done within the ct action
(as described in the planning and in the FIXME tag in 3rd patch).
Marcelo Ricardo Leitner (6):
flow_dissector: add support for matching on ConnTrack
net/sched: flower: add support for matching on ConnTrack
net/sched: add CT action
net/sched: act_ct: add support for force flag
net/sched: act_ct: add support for clear flag
net/sched: act_ct: allow sending a packet through conntrack multiple
times
include/net/flow_dissector.h | 17 +
include/net/tc_act/tc_ct.h | 29 ++
include/uapi/linux/netfilter/xt_connlabel.h | 5 +
include/uapi/linux/pkt_cls.h | 9 +
include/uapi/linux/tc_act/tc_ct.h | 38 ++
net/core/flow_dissector.c | 25 ++
net/sched/Kconfig | 6 +
net/sched/Makefile | 1 +
net/sched/act_ct.c | 385 ++++++++++++++++++++
net/sched/cls_flower.c | 33 ++
10 files changed, 548 insertions(+)
create mode 100644 include/net/tc_act/tc_ct.h
create mode 100644 include/uapi/linux/tc_act/tc_ct.h
create mode 100644 net/sched/act_ct.c
--
2.20.1
Powered by blists - more mailing lists