| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190514170108.GC2584@nanopsycho>
Date: Tue, 14 May 2019 19:01:08 +0200
From: Jiri Pirko <jiri@...nulli.us>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org, thomas.lendacky@....com,
f.fainelli@...il.com, ariel.elior@...ium.com,
michael.chan@...adcom.com, santosh@...lsio.com,
madalin.bucur@....com, yisen.zhuang@...wei.com,
salil.mehta@...wei.com, jeffrey.t.kirsher@...el.com,
tariqt@...lanox.com, saeedm@...lanox.com, jiri@...lanox.com,
idosch@...lanox.com, jakub.kicinski@...ronome.com,
peppe.cavallaro@...com, grygorii.strashko@...com, andrew@...n.ch,
vivien.didelot@...oirfairelinux.com, alexandre.torgue@...com,
joabreu@...opsys.com, linux-net-drivers@...arflare.com,
ganeshgr@...lsio.com, ogerlitz@...lanox.com,
Manish.Chopra@...ium.com, marcelo.leitner@...il.com,
mkubecek@...e.cz, venkatkumar.duvvuru@...adcom.com,
julia.lawall@...6.fr, john.fastabend@...il.com
Subject: Re: [PATCH net-next,RFC 2/2] netfilter: nf_tables: add hardware
offload support
Thu, May 09, 2019 at 06:39:51PM CEST, pablo@...filter.org wrote:
>This patch adds hardware offload support for nftables through the
>existing netdev_ops->ndo_setup_tc() interface, the TC_SETUP_CLSFLOWER
>classifier and the flow rule API. This hardware offload support is
>available for the NFPROTO_NETDEV family and the ingress hook.
>
>Each nftables expression has a new ->offload interface, that is used to
>populate the flow rule object that is attached to the transaction
>object.
>
>There is a new per-table NFT_TABLE_F_HW flag, that is set on to offload
>an entire table, including all of its chains.
>
>This patch supports for basic metadata (layer 3 and 4 protocol numbers),
>5-tuple payload matching and the accept/drop actions; this also includes
>basechain hardware offload only.
>
>Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
[...]
>+static int nft_flow_offload_chain(struct nft_trans *trans,
>+ enum flow_block_command cmd)
>+{
>+ struct nft_chain *chain = trans->ctx.chain;
>+ struct netlink_ext_ack extack = {};
>+ struct flow_block_offload bo = {};
>+ struct nft_base_chain *basechain;
>+ struct net_device *dev;
>+ int err;
>+
>+ if (!nft_is_base_chain(chain))
>+ return -EOPNOTSUPP;
>+
>+ basechain = nft_base_chain(chain);
>+ dev = basechain->ops.dev;
>+ if (!dev)
>+ return -EOPNOTSUPP;
>+
>+ bo.command = cmd;
>+ bo.binder_type = TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
>+ bo.block_index = (u32)trans->ctx.chain->handle;
>+ bo.extack = &extack;
>+ INIT_LIST_HEAD(&bo.cb_list);
>+
>+ err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo);
Okay, so you pretend to be clsact-ingress-flower. That looks fine.
But how do you ensure that the real one does not bind a block on the
same device too?
>+ if (err < 0)
>+ return err;
>+
>+ list_splice(&bo.cb_list, &basechain->cb_list);
>+ return 0;
>+}
>+
[...]
Powered by blists - more mailing lists