lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190802134738.328691b4@cakuba.netronome.com>
Date:   Fri, 2 Aug 2019 13:47:38 -0700
From:   Jakub Kicinski <jakub.kicinski@...ronome.com>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     netfilter-devel@...r.kernel.org, davem@...emloft.net,
        netdev@...r.kernel.org, marcelo.leitner@...il.com,
        jiri@...nulli.us, wenxu@...oud.cn, saeedm@...lanox.com,
        paulb@...lanox.com, gerlitz.or@...il.com
Subject: Re: [PATCH net 0/2] flow_offload hardware priority fixes

On Fri, 2 Aug 2019 13:00:23 +0200, Pablo Neira Ayuso wrote:
> Hi Jakub,
> 
> If the user specifies 'pref' in the new rule, then tc checks if there
> is a tcf_proto object that matches this priority. If the tcf_proto
> object does not exist, tc creates a tcf_proto object and it adds the
> new rule to this tcf_proto.
> 
> In cls_flower, each tcf_proto only stores one single rule, so if the
> user tries to add another rule with the same 'pref', cls_flower
> returns EEXIST.

😳 

So you're saying this doesn't work?

ip link add type dummy
tc qdisc add dev dummy0 clsact
tc filter add dev dummy0 ingress protocol ipv6 prio 123 flower src_ip 1111::1 action drop
tc filter add dev dummy0 ingress protocol ipv6 prio 123 flower src_ip 1111::2 action drop
tc filter add dev dummy0 ingress protocol ipv6 prio 123 flower src_ip 1111::3 action drop
tc filter add dev dummy0 ingress protocol ipv6 prio 123 flower src_ip 1111::4 action drop
tc filter add dev dummy0 ingress protocol ipv6 prio 123 flower src_ip 1111::5 action drop

tc filter show dev dummy0 ingress

filter protocol ipv6 pref 123 flower chain 0 
filter protocol ipv6 pref 123 flower chain 0 handle 0x1 
  eth_type ipv6
  src_ip 1111::1
  not_in_hw
	action order 1: gact action drop
	 random type none pass val 0
	 index 1 ref 1 bind 1

filter protocol ipv6 pref 123 flower chain 0 handle 0x2 
  eth_type ipv6
  src_ip 1111::2
  not_in_hw
	action order 1: gact action drop
	 random type none pass val 0
	 index 2 ref 1 bind 1

filter protocol ipv6 pref 123 flower chain 0 handle 0x3 
  eth_type ipv6
  src_ip 1111::3
  not_in_hw
	action order 1: gact action drop
	 random type none pass val 0
	 index 3 ref 1 bind 1

filter protocol ipv6 pref 123 flower chain 0 handle 0x4 
  eth_type ipv6
  src_ip 1111::4
  not_in_hw
	action order 1: gact action drop
	 random type none pass val 0
	 index 4 ref 1 bind 1

filter protocol ipv6 pref 123 flower chain 0 handle 0x5 
  eth_type ipv6
  src_ip 1111::5
  not_in_hw
	action order 1: gact action drop
	 random type none pass val 0
	 index 5 ref 1 bind 1


> I'll prepare a new patchset not to map the priority to the netfilter
> basechain priority, instead the rule priority will be internally
> allocated for each new rule.

In which you're adding fake priorities to rules, AFAICT, 
and continue to baffle me.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ