| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190128125506.GK10660@localhost.localdomain>
Date: Mon, 28 Jan 2019 10:55:06 -0200
From: Marcelo Ricardo Leitner <mleitner@...hat.com>
To: Simon Horman <simon.horman@...ronome.com>
Cc: Guy Shattah <sguy@...lanox.com>, Aaron Conole <aconole@...hat.com>,
John Hurley <john.hurley@...ronome.com>,
Justin Pettit <jpettit@....org>,
Gregory Rose <gvrose8192@...il.com>,
Eelco Chaudron <echaudro@...hat.com>,
Flavio Leitner <fbl@...hat.com>,
Florian Westphal <fwestpha@...hat.com>,
Jiri Pirko <jiri@...nulli.us>, Rashid Khan <rkhan@...hat.com>,
Sushil Kulkarni <sukulkar@...hat.com>,
Andy Gospodarek <andrew.gospodarek@...adcom.com>,
Roi Dayan <roid@...lanox.com>,
Yossi Kuperman <yossiku@...lanox.com>,
Or Gerlitz <ogerlitz@...lanox.com>,
Rony Efraim <ronye@...lanox.com>,
"davem@...emloft.net" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [RFC PATCH 2/6] net/sched: flower: add support for matching on
ConnTrack
On Mon, Jan 28, 2019 at 10:44:23AM +0100, Simon Horman wrote:
> On Sat, Jan 26, 2019 at 01:52:01PM -0200, Marcelo Ricardo Leitner wrote:
> > On Fri, Jan 25, 2019 at 02:37:13PM +0100, Simon Horman wrote:
> > > Hi Marcelo,
> > >
> > > On Fri, Jan 25, 2019 at 12:32:31AM -0200, Marcelo Ricardo Leitner wrote:
> > > > Hook on flow dissector's new interface on ConnTrack from previous patch.
> > > >
> > > > Signed-off-by: Marcelo Ricardo Leitner <mleitner@...hat.com>
> > > > ---
> > > > include/uapi/linux/pkt_cls.h | 9 +++++++++
> > > > net/sched/cls_flower.c | 33 +++++++++++++++++++++++++++++++++
> > > > 2 files changed, 42 insertions(+)
> > > >
> > > > diff --git a/include/uapi/linux/pkt_cls.h b/include/uapi/linux/pkt_cls.h
> > > > index 95d0db2a8350dffb1dd20816591f3b179913fb2e..ba1f3bc01b2fdfd810e37a2b3853a1da1f838acf 100644
> > > > --- a/include/uapi/linux/pkt_cls.h
> > > > +++ b/include/uapi/linux/pkt_cls.h
> > > > @@ -490,6 +490,15 @@ enum {
> > > > TCA_FLOWER_KEY_PORT_DST_MIN, /* be16 */
> > > > TCA_FLOWER_KEY_PORT_DST_MAX, /* be16 */
> > > >
> > > > + TCA_FLOWER_KEY_CT_ZONE, /* u16 */
> > > > + TCA_FLOWER_KEY_CT_ZONE_MASK, /* u16 */
> > > > + TCA_FLOWER_KEY_CT_STATE, /* u8 */
> > > > + TCA_FLOWER_KEY_CT_STATE_MASK, /* u8 */
> > >
> > > With the corresponding flow dissector patch this API is
> > > exposing the contents of an instance of enum ip_conntrack_info
> > > as an ABI for conntrack state.
> > >
> > > I believe (after getting similar review for my geneve options macthing
> > > patches for flower) that this exposes implementation details as an ABI
> > > to a degree that is not desirable.
> > >
> > > My suggested would be to define, say in the form of named bits,
> > > an ABI, that describes the state information that is exposed.
> > > These bits may not correspond directly to the implementation of
> > > ip_conntrack_info.
> > >
> > > I think there should also be some consideration of if a mask makes
> > > sense for the state as, f.e. in the implementation of enum
> > > ip_conntrack_info not all bit combinations are valid.
> >
> > Right. ct_state must be handled differently. For conntrack it is a
> > linear enum and as we want to be able to OR match, we will have to
> > convert the states in a bitfield as you were saying or so.
> >
> > I don't think the representation above wouldn't change, though: we have
> > 8 bits wrapped under a u8. What would change is how we deal with it.
> >
> > If iproute tc is able to parse the cmdline and set a corresponding bit
> > for each state, the flower-side of flow dissector here should be
> > mostly fine (need to consider the invalid bits as you mentioned, as
> > part of sanity checking).
> > Then just need to change on how flow dissector is reading ct_state
> > from the packet.
>
> I'm not entirely opposed to a KABI which defines bits of
> TCA_FLOWER_KEY_CT_STATE in such a way that they match exactly
> the current implementation of enum ip_conntrack_info (though I do suspect
> that a better representation is possible, for some value of better).
Ok. Will check.
>
> But, on the other hand, I am not comfortable in simply sating that
> TCA_FLOWER_KEY_CT_STATE is the same as enum ip_conntrack_info, because
> that exposes an internal implementation detail which may change.
"internal" here is relative because enum ip_conntrack_info is on UAPI
already, at include/uapi/linux/netfilter/nf_conntrack_common.h.
Anyhow, agree that a new listing may make more sense.
The duplicity in enum ip_conntrack_info might hide some surpises for
us too:
enum ip_conntrack_info {
IP_CT_ESTABLISHED, = 0
IP_CT_RELATED, = 1
IP_CT_NEW, = 2
IP_CT_IS_REPLY, = 3 <--
IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
0 + 3 = 3 <--
IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
1 + 3 = 4
>
> > Is your comment only related to ct_state or other fields too? I'm
> > thinking only ct_state.
>
> Sorry that I wasn't clear, I was only referring to ct_state.
No need to be :-)
Thanks,
Marcelo
>
> > > > + TCA_FLOWER_KEY_CT_MARK, /* u32 */
> > > > + TCA_FLOWER_KEY_CT_MARK_MASK, /* u32 */
> > > > + TCA_FLOWER_KEY_CT_LABEL, /* 128 bits */
> > > > + TCA_FLOWER_KEY_CT_LABEL_MASK, /* 128 bits */
> > > > +
> > > > __TCA_FLOWER_MAX,
> > > > };
> > >
> > > ...
> > >
>
Powered by blists - more mailing lists