lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <000fc167-2653-7d3b-80d7-3feba06767cc@gmail.com>
Date:   Tue, 26 Mar 2019 01:06:23 -0700
From:   Eric Dumazet <erdnetdev@...il.com>
To:     Alexei Starovoitov <alexei.starovoitov@...il.com>,
        Eric Dumazet <eric.dumazet@...il.com>
Cc:     brakmo <brakmo@...com>, netdev <netdev@...r.kernel.org>,
        Martin Lau <kafai@...com>, Alexei Starovoitov <ast@...com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Kernel Team <Kernel-team@...com>
Subject: Re: [PATCH bpf-next 0/7] bpf: Propagate cn to TCP



On 03/25/2019 09:27 PM, Alexei Starovoitov wrote:
> On Mon, Mar 25, 2019 at 01:48:27AM -0700, Eric Dumazet wrote:
>>
>>
>> On 03/25/2019 01:33 AM, Eric Dumazet wrote:
>>>
>>>
>>> On 03/24/2019 09:19 AM, Alexei Starovoitov wrote:
>>
>>>> Cover letter also explains why bpf_skb_ecn_set_ce is not enough.
>>>> Please realize that existing qdiscs already doing this.
>>>> The patchset allows bpf-cgroup to do the same.
>>>
>>> Not the same thing I am afraid.
>>
>> To be clear Alexei :
>>
>> Existing qdisc set CE mark on a packet, exactly like a router would do.
>> Simple and universal.
>> This can be stacked, and done far away from the sender.
>>
>> We do not _call_ back local TCP to propagate cn.
> 
> How do you classify NET_XMIT_CN ?


> It's exactly local call back to indicate CN into tcp from layers below tcp.
> tc-bpf prog returning 'drop' code means drop+cn
> whereas cgroup-bpf prog returning 'drop' means drop only.
> This patch set is fixing this discrepancy.


Except this does not work universally.
team or bonding or any tunnel wont propagate this signal.
(This is not something that can be fixed either, since qdisc can be installed there)

This is a wrong design, and we want to get rid of it, and not 'fix it'.

Back to my original concerns :

1) Larry just upstreamed the bpf_skb_ecn_set_ce().
   This part was fine, we did the same in fq_codel an fq already.

2)
 This ability to inject directly to TCP stack local drops is exactly confirming
 why I complained earlier about why policers are often wrong. Trying to cope with them
 is a nightmare.

I feel you need this because your ebpf code was only able to accept or drop a packet (aka a policer)

EDT model allows for extending the skb->tstamp and not breaking TSQ logic : no local drops.

One of the ECN goal is to avoid drops in the first place, so adding something to favor
local drops sounds a step in the wrong direction.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ