lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 22 Mar 2019 13:05:27 -0700
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     "Kevin 'ldir' Darbyshire-Bryant" <ldir@...byshire-bryant.me.uk>
Cc:     "jhs@...atatu.com" <jhs@...atatu.com>,
        "jiri@...nulli.us" <jiri@...nulli.us>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [RFC PATCH 1/1 v2] net: sched: Introduce conndscp action

On Fri, Mar 22, 2019 at 11:26 AM Kevin 'ldir' Darbyshire-Bryant
<ldir@...byshire-bryant.me.uk> wrote:
>
> Hi Cong,
>
> Thanks for your questions.
>
> > On 22 Mar 2019, at 17:39, Cong Wang <xiyou.wangcong@...il.com> wrote:
> >
> > Hello,
> >
> > On Fri, Mar 22, 2019 at 7:09 AM Kevin 'ldir' Darbyshire-Bryant
> > <ldir@...byshire-bryant.me.uk> wrote:
> >>
> >> Conndscp is a new tc filter action module.  It is designed to copy DSCPs
> >> to conntrack marks and the reverse operation of conntrack mark contained
> >> DSCPs to the diffserv field of suitable skbs.
> >>
> >
> > Is it possible and feasible to integrate this into connmark?
>
> I started off coding it that way but quickly ran into my limitations with netlink messaging and became frustrated.  Aside from my own limitations, conndscp ab/uses tcf_qstats requeues & overlimits to indicate DSCP->MARK->DSCP operations and has been useful in proving DSCP/marking operations are occurring in the right times/places.  Integrating with connmark which itself uses overlimits to indicate conntrack mark to skb->mark restoration would lose that differentiation/confirmation/debug ability.  A possibility is to ab/use the drop count instead but I fear that would cause confusion.

This sounds problematic, why a flag/parameter doesn't work?


>
> > Both are intended to retrieve information from conntrack and store
> > it into skb. I know the name "connmark" already says it is a mark,
> > while yours isn't, I still want to see if we can avoid code duplications.
>
> I understand your quest :-)  I think conndscp does a bit more than connmark.  Conndscp is two way diffserv<-->conntrack mark operation.  connmark is a single way conntrack mark->skb.mark operation.

I am not sure if it is a good idea to modify conntrack in TC,
as conntrack doesn't even belong to TC. Retrieving information
from conntrack and saving it to skb is fine, as we modify skb
in many different ways.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ