lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <cbc057d0e7f7cf630beb0b630faf27732ce458a5.1548285996.git.mleitner@redhat.com>
Date:   Fri, 25 Jan 2019 00:32:35 -0200
From:   Marcelo Ricardo Leitner <mleitner@...hat.com>
To:     Guy Shattah <sguy@...lanox.com>,
        Marcelo Leitner <mleitner@...hat.com>,
        Aaron Conole <aconole@...hat.com>,
        John Hurley <john.hurley@...ronome.com>,
        Simon Horman <simon.horman@...ronome.com>,
        Justin Pettit <jpettit@....org>,
        Gregory Rose <gvrose8192@...il.com>,
        Eelco Chaudron <echaudro@...hat.com>,
        Flavio Leitner <fbl@...hat.com>,
        Florian Westphal <fwestpha@...hat.com>,
        Jiri Pirko <jiri@...nulli.us>, Rashid Khan <rkhan@...hat.com>,
        Sushil Kulkarni <sukulkar@...hat.com>,
        Andy Gospodarek <andrew.gospodarek@...adcom.com>,
        Roi Dayan <roid@...lanox.com>,
        Yossi Kuperman <yossiku@...lanox.com>,
        Or Gerlitz <ogerlitz@...lanox.com>,
        Rony Efraim <ronye@...lanox.com>,
        "davem@...emloft.net" <davem@...emloft.net>
Cc:     netdev@...r.kernel.org
Subject: [RFC PATCH 6/6] net/sched: act_ct: allow sending a packet through conntrack multiple times

The first time it may use conntrack to track the tunnel information,
then jump into another chain, and go through conntrack again so that
the inner header is tracked.

This commit clears previous conntrack info if any so that we can
submit it to conntrack again.

Header offsets are supposed to be updated by the decapsulating action.

The main difference from just adding another act_ct(clear) action is that
the clear flag also sets the UNTRACKED mark in the packet (like OvS does).

Signed-off-by: Marcelo Ricardo Leitner <mleitner@...hat.com>
---
 net/sched/act_ct.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 77d55c05ed95d8abc8c35a3d19f453a586139914..6e446db3bcdda772dbe1090d5c584156f6cc59eb 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -196,16 +196,19 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
 	if (unlikely(action == TC_ACT_SHOT))
 		goto drop;
 
-	if (flags & BIT(TC_CT_CLEAR)) {
-		new_ct = nf_ct_get(skb, &ctinfo);
-		if (new_ct) {
-			if (nf_ct_is_confirmed(new_ct))
-				nf_ct_delete(new_ct, 0, 0);
+	new_ct = nf_ct_get(skb, &ctinfo);
+	if (new_ct) {
+		if (nf_ct_is_confirmed(new_ct))
+			nf_ct_delete(new_ct, 0, 0);
 
-			nf_conntrack_put(&new_ct->ct_general);
+		nf_conntrack_put(&new_ct->ct_general);
+
+		if (flags & BIT(TC_CT_CLEAR)) {
 			nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
 			goto out;
 		}
+
+		nf_ct_set(skb, NULL, 0);
 	}
 
 	/* FIXME: For when we support cloning the packet
@@ -218,7 +221,6 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
 	skb_pull_rcsum(skb, nh_ofs);
 	/* FIXME: OvS trims the packet here. Should we? */
 
-	/* FIXME: Need to handle multiple calls to CT action here. */
 	if (ct)
 		nf_ct_set(skb, ct, IP_CT_NEW);
 
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ