lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 14 May 2019 19:01:08 +0200
From:   Jiri Pirko <>
To:     Pablo Neira Ayuso <>
Subject: Re: [PATCH net-next,RFC 2/2] netfilter: nf_tables: add hardware
 offload support

Thu, May 09, 2019 at 06:39:51PM CEST, wrote:
>This patch adds hardware offload support for nftables through the
>existing netdev_ops->ndo_setup_tc() interface, the TC_SETUP_CLSFLOWER
>classifier and the flow rule API. This hardware offload support is
>available for the NFPROTO_NETDEV family and the ingress hook.
>Each nftables expression has a new ->offload interface, that is used to
>populate the flow rule object that is attached to the transaction
>There is a new per-table NFT_TABLE_F_HW flag, that is set on to offload
>an entire table, including all of its chains.
>This patch supports for basic metadata (layer 3 and 4 protocol numbers),
>5-tuple payload matching and the accept/drop actions; this also includes
>basechain hardware offload only.
>Signed-off-by: Pablo Neira Ayuso <>


>+static int nft_flow_offload_chain(struct nft_trans *trans,
>+				  enum flow_block_command cmd)
>+	struct nft_chain *chain = trans->ctx.chain;
>+	struct netlink_ext_ack extack = {};
>+	struct flow_block_offload bo = {};
>+	struct nft_base_chain *basechain;
>+	struct net_device *dev;
>+	int err;
>+	if (!nft_is_base_chain(chain))
>+		return -EOPNOTSUPP;
>+	basechain = nft_base_chain(chain);
>+	dev = basechain->;
>+	if (!dev)
>+		return -EOPNOTSUPP;
>+	bo.command = cmd;
>+	bo.block_index = (u32)trans->ctx.chain->handle;
>+	bo.extack = &extack;
>+	INIT_LIST_HEAD(&bo.cb_list);
>+	err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo);

Okay, so you pretend to be clsact-ingress-flower. That looks fine.
But how do you ensure that the real one does not bind a block on the
same device too?

>+	if (err < 0)
>+		return err;
>+	list_splice(&bo.cb_list, &basechain->cb_list);
>+	return 0;


Powered by blists - more mailing lists