lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190514170108.GC2584@nanopsycho>
Date:   Tue, 14 May 2019 19:01:08 +0200
From:   Jiri Pirko <jiri@...nulli.us>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     netfilter-devel@...r.kernel.org, davem@...emloft.net,
        netdev@...r.kernel.org, thomas.lendacky@....com,
        f.fainelli@...il.com, ariel.elior@...ium.com,
        michael.chan@...adcom.com, santosh@...lsio.com,
        madalin.bucur@....com, yisen.zhuang@...wei.com,
        salil.mehta@...wei.com, jeffrey.t.kirsher@...el.com,
        tariqt@...lanox.com, saeedm@...lanox.com, jiri@...lanox.com,
        idosch@...lanox.com, jakub.kicinski@...ronome.com,
        peppe.cavallaro@...com, grygorii.strashko@...com, andrew@...n.ch,
        vivien.didelot@...oirfairelinux.com, alexandre.torgue@...com,
        joabreu@...opsys.com, linux-net-drivers@...arflare.com,
        ganeshgr@...lsio.com, ogerlitz@...lanox.com,
        Manish.Chopra@...ium.com, marcelo.leitner@...il.com,
        mkubecek@...e.cz, venkatkumar.duvvuru@...adcom.com,
        julia.lawall@...6.fr, john.fastabend@...il.com
Subject: Re: [PATCH net-next,RFC 2/2] netfilter: nf_tables: add hardware
 offload support

Thu, May 09, 2019 at 06:39:51PM CEST, pablo@...filter.org wrote:
>This patch adds hardware offload support for nftables through the
>existing netdev_ops->ndo_setup_tc() interface, the TC_SETUP_CLSFLOWER
>classifier and the flow rule API. This hardware offload support is
>available for the NFPROTO_NETDEV family and the ingress hook.
>
>Each nftables expression has a new ->offload interface, that is used to
>populate the flow rule object that is attached to the transaction
>object.
>
>There is a new per-table NFT_TABLE_F_HW flag, that is set on to offload
>an entire table, including all of its chains.
>
>This patch supports for basic metadata (layer 3 and 4 protocol numbers),
>5-tuple payload matching and the accept/drop actions; this also includes
>basechain hardware offload only.
>
>Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>

[...]

>+static int nft_flow_offload_chain(struct nft_trans *trans,
>+				  enum flow_block_command cmd)
>+{
>+	struct nft_chain *chain = trans->ctx.chain;
>+	struct netlink_ext_ack extack = {};
>+	struct flow_block_offload bo = {};
>+	struct nft_base_chain *basechain;
>+	struct net_device *dev;
>+	int err;
>+
>+	if (!nft_is_base_chain(chain))
>+		return -EOPNOTSUPP;
>+
>+	basechain = nft_base_chain(chain);
>+	dev = basechain->ops.dev;
>+	if (!dev)
>+		return -EOPNOTSUPP;
>+
>+	bo.command = cmd;
>+	bo.binder_type = TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
>+	bo.block_index = (u32)trans->ctx.chain->handle;
>+	bo.extack = &extack;
>+	INIT_LIST_HEAD(&bo.cb_list);
>+
>+	err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo);

Okay, so you pretend to be clsact-ingress-flower. That looks fine.
But how do you ensure that the real one does not bind a block on the
same device too?


>+	if (err < 0)
>+		return err;
>+
>+	list_splice(&bo.cb_list, &basechain->cb_list);
>+	return 0;
>+}
>+

[...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ