| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Apr 2019 07:47:10 +0000
From: Paul Blakey <paulb@...lanox.com>
To: Kevin 'ldir' Darbyshire-Bryant <ldir@...byshire-bryant.me.uk>,
Cong Wang <xiyou.wangcong@...il.com>
CC: Paul Blakey <paulb@...lanox.com>,
Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
"jhs@...atatu.com" <jhs@...atatu.com>,
"jiri@...nulli.us" <jiri@...nulli.us>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
Oz Shlomo <ozsh@...lanox.com>
Subject: Re: [RFC net-next 0/1] net: sched: Introduce conntrack action
Kevin 'ldir' Darbyshire-Bryant wrote on 02/04/2019 12:24:
> Hi Cong & all,
>
>> On 1 Apr 2019, at 22:06, Cong Wang <xiyou.wangcong@...il.com> wrote:
>>
>> On Mon, Apr 1, 2019 at 7:22 AM Paul Blakey <paulb@...lanox.com> wrote:
>>>
>>
> <snip some context>
>>
>>>
>>> This would probably be better off with the previous name act_conndscp.
>>
>>
>> If naming is the only concern here, then it is not hard to find
>> a name we are all satisfied with, like act_ctinfo (if we still want more
>> than just DSCP).
>
> Personally I don’t *need* anything more than restoring the DSCP from conntrack mark, however my own narrow viewpoint doesn’t preclude some future desire to restore something else. For that reason I changed the name from act_conndscp to act_conntrack and hope that the latest suggested name change ‘act_ctinfo’ be the last. Incidentally I like the name ‘act_ctinfo’ especially if it is intended there be a ’send to conntrack’ type action of act_ct/act_conntrack.
>
> Moving on from naming the darn thing and assuming ‘act_ctinfo’ sticks, is there anything fundamentally wrong with the code? Nitpicks (or bigpicks) in approach or style? I’m naively hoping the first real submission results in “That’s wonderful code, we’d be mad not to accept it” instead of “you’ve done that wrong, and that, and that, and that….” :-)
>
>
>>
>> Thanks.
>
>
> Cheers,
>
> Kevin D-B
>
> gpg: 012C ACB2 28C6 C53E 9775 9123 B3A2 389B 9DE2 334A
>
Hi Kevin,
If you'd like, You can rebase it on our upcoming act_ct (our
act_conntrack) once we're done (hopefully in a couple of weeks). If you
going with the a standalone action, it's fine with me as well.
> + /* let's not trust userspace entirely */
> + /* need at least contiguous 6 bit mask */
> + if ((0x3f & (ci->mask >> ci->maskshift)) != 0x3f)
> + ci->mode &= ~CONNTRACK_FLAG_SETDSCP;
> + /* mask & statemask must not overlap */
> + if (ci->mask & ci->statemask)
> + ci->mode &= ~CONNTRACK_FLAG_SETDSCP;
> +
Some nitpicks, you check if the user provides sane input in
conntrack_parmset, but instead of returning an error, you just disable
the only action the user provided and the module supports, so it won't
do nothing, yet the command succeeds.
As marcelo said, this module isn't RCUified... see the design pattern in
act_vlan, act_tunnel_key, act_csum, or what this commits changed:
commit 4c5b9d9642c859f7369338fc42c0f62f4151bef3
Author: Manish Kurup <kurup.manish@...il.com>
act_vlan: VLAN action rewrite to use RCU lock/unlock and update
commit 9c5f69bbd75a7db80578782b037629c5f1e59dce
Author: Davide Caratti <dcaratti@...hat.com>
net/sched: act_csum: don't use spinlock in the fast path
And regarding the
> + ct = nf_ct_get(skb, &ctinfo);
> + if (!ct) { /* look harder */
The packet didn't pass connection tracking yet right (!ct) but you're
setting the DSCP early?
> + if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
> + proto, ca->net, &tuple))
> + goto out;
> + zone.id = ca->zone;
> + zone.dir = NF_CT_DEFAULT_ZONE_DIR;
> +
> + thash = nf_conntrack_find_get(ca->net, &zone, &tuple);
> + if (!thash)
> + goto out;
> +
> + if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
> + proto, ca->net, &tuple))
> + goto out;
> +
Aren't searching for the same tuple twice?
Thanks,
Paul.
Powered by blists - more mailing lists