lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 15 May 2019 21:45:56 +0200
From:   Jiri Pirko <jiri@...nulli.us>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     netfilter-devel@...r.kernel.org, davem@...emloft.net,
        netdev@...r.kernel.org, thomas.lendacky@....com,
        f.fainelli@...il.com, ariel.elior@...ium.com,
        michael.chan@...adcom.com, santosh@...lsio.com,
        madalin.bucur@....com, yisen.zhuang@...wei.com,
        salil.mehta@...wei.com, jeffrey.t.kirsher@...el.com,
        tariqt@...lanox.com, saeedm@...lanox.com, jiri@...lanox.com,
        idosch@...lanox.com, jakub.kicinski@...ronome.com,
        peppe.cavallaro@...com, grygorii.strashko@...com, andrew@...n.ch,
        vivien.didelot@...oirfairelinux.com, alexandre.torgue@...com,
        joabreu@...opsys.com, linux-net-drivers@...arflare.com,
        ganeshgr@...lsio.com, ogerlitz@...lanox.com,
        Manish.Chopra@...ium.com, marcelo.leitner@...il.com,
        mkubecek@...e.cz, venkatkumar.duvvuru@...adcom.com,
        julia.lawall@...6.fr, john.fastabend@...il.com
Subject: Re: [PATCH net-next,RFC 2/2] netfilter: nf_tables: add hardware
 offload support

Wed, May 15, 2019 at 11:13:26AM CEST, pablo@...filter.org wrote:
>On Wed, May 15, 2019 at 01:03:31AM +0200, Pablo Neira Ayuso wrote:
>> On Tue, May 14, 2019 at 07:01:08PM +0200, Jiri Pirko wrote:
>> > Thu, May 09, 2019 at 06:39:51PM CEST, pablo@...filter.org wrote:
>> > >This patch adds hardware offload support for nftables through the
>> > >existing netdev_ops->ndo_setup_tc() interface, the TC_SETUP_CLSFLOWER
>> > >classifier and the flow rule API. This hardware offload support is
>> > >available for the NFPROTO_NETDEV family and the ingress hook.
>> > >
>> > >Each nftables expression has a new ->offload interface, that is used to
>> > >populate the flow rule object that is attached to the transaction
>> > >object.
>> > >
>> > >There is a new per-table NFT_TABLE_F_HW flag, that is set on to offload
>> > >an entire table, including all of its chains.
>> > >
>> > >This patch supports for basic metadata (layer 3 and 4 protocol numbers),
>> > >5-tuple payload matching and the accept/drop actions; this also includes
>> > >basechain hardware offload only.
>> > >
>> > >Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
>> > 
>> > [...]
>> > 
>> > >+static int nft_flow_offload_chain(struct nft_trans *trans,
>> > >+				  enum flow_block_command cmd)
>> > >+{
>> > >+	struct nft_chain *chain = trans->ctx.chain;
>> > >+	struct netlink_ext_ack extack = {};
>> > >+	struct flow_block_offload bo = {};
>> > >+	struct nft_base_chain *basechain;
>> > >+	struct net_device *dev;
>> > >+	int err;
>> > >+
>> > >+	if (!nft_is_base_chain(chain))
>> > >+		return -EOPNOTSUPP;
>> > >+
>> > >+	basechain = nft_base_chain(chain);
>> > >+	dev = basechain->ops.dev;
>> > >+	if (!dev)
>> > >+		return -EOPNOTSUPP;
>> > >+
>> > >+	bo.command = cmd;
>> > >+	bo.binder_type = TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
>> > >+	bo.block_index = (u32)trans->ctx.chain->handle;
>> > >+	bo.extack = &extack;
>> > >+	INIT_LIST_HEAD(&bo.cb_list);
>> > >+
>> > >+	err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo);
>> > 
>> > Okay, so you pretend to be clsact-ingress-flower. That looks fine.
>> > But how do you ensure that the real one does not bind a block on the
>> > same device too?
>> 
>> I could store the interface index in the block_cb object, then use the
>> tuple [ cb, cb_ident, ifindex ] to check if the block is already bound
>> by when flow_block_cb_alloc() is called.
>
>Actually cb_ident would be sufficient. One possibility would be to

That is what I wrote :)


>extend flow_block_cb_alloc() to check for an existing binding.
>
>diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c
>index cf984ef05609..44172014cebe 100644
>--- a/net/core/flow_offload.c
>+++ b/net/core/flow_offload.c
>@@ -193,9 +193,15 @@ struct flow_block_cb *flow_block_cb_alloc(u32 block_index, tc_setup_cb_t *cb,
> {
>        struct flow_block_cb *block_cb;
> 
>+       list_for_each_entry(block_cb, &flow_block_cb_list, list) {
>+               if (block_cb->cb == cb &&
>+                   block_cb->cb_ident == cb_ident)
>+                       return ERR_PTR(-EBUSY);
>+       }
>+
>        block_cb = kzalloc(sizeof(*block_cb), GFP_KERNEL);
>        if (!block_cb)
>-               return NULL;
>+               return ERR_PTR(-ENOMEM);
> 
>        block_cb->cb = cb;
>        block_cb->cb_ident = cb_ident;
>
>Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ