lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 30 Aug 2019 02:53:32 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter-devel@...r.kernel.org
Cc:     davem@...emloft.net, netdev@...r.kernel.org, vishal@...lsio.com,
        jakub.kicinski@...ronome.com, saeedm@...lanox.com, jiri@...nulli.us
Subject: [PATCH 0/4 net-next] flow_offload: update mangle action representation

Hi,

This patch updates the mangle action representation:

Patch 1) Undo bitwise NOT operation on the mangle mask (coming from tc
	 pedit userspace).

Patch 2) mangle value &= mask from the front-end side.

Patch 3) adjust offset, length and coalesce consecutive actions.

Patch 4) add payload mangling for netfilter.

After this patchset:

* Offsets do not need to be on the 32-bits boundaries anymore. This
  patchset adds front-end code to adjust the offset and length coming
  from the tc pedit representation, so drivers get an exact header field
  offset and length.

* The front-end coalesces consecutive pedit actions into one single
  word, so drivers can mangle IPv6 and ethernet address fields in one
  single go.

On the driver side, diffstat -t shows that drivers code to deal with
payload mangling gets simplified:

	INSERTED,DELETED,MODIFIED,FILENAME
	46,116,0,drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c (-70 LOC)
	12,28,0,drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.h (-16 LOC)
	30,60,0,drivers/net/ethernet/mellanox/mlx5/core/en_tc.c (-30 LOC)
	89,111,0,drivers/net/ethernet/netronome/nfp/flower/action.c (-22 LOC)

While, on the front-end side the balance is the following:

	122,21,0,net/sched/cls_api.c (+101 LOC)

Please, apply.

P.S: This patchset comes after the "netfilter: payload mangling offload
     support" series, although it has been heavily reworked.

Pablo Neira Ayuso (4):
  net: flow_offload: flip mangle action mask
  net: flow_offload: bitwise AND on mangle action value field
  net: flow_offload: mangle action at byte level
  netfilter: nft_payload: packet mangling offload support

 .../net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c   | 163 +++++------------
 .../net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.h   |  40 ++--
 drivers/net/ethernet/mellanox/mlx5/core/en_tc.c    |  90 +++------
 drivers/net/ethernet/netronome/nfp/flower/action.c | 201 +++++++++------------
 include/net/flow_offload.h                         |   7 +-
 net/netfilter/nft_payload.c                        |  72 ++++++++
 net/sched/cls_api.c                                | 142 +++++++++++++--
 7 files changed, 376 insertions(+), 339 deletions(-)

-- 
2.11.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ