| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Dec 2019 11:26:15 +0800
From: Tonghao Zhang <xiangxia.m.yue@...il.com>
To: bindiya Kurle <bindiyakurle@...il.com>
Cc: Matteo Croce <mcroce@...hat.com>,
Nikolay Aleksandrov <nikolay@...ulusnetworks.com>,
ovs dev <dev@...nvswitch.org>, netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Simon Horman <simon.horman@...ronome.com>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [ovs-dev] [PATCH net-next v2] openvswitch: add TTL decrement action
On Wed, Dec 25, 2019 at 7:16 AM bindiya Kurle <bindiyakurle@...il.com> wrote:
>
> Hi Tonghao,
> Once this kernel patch is integrated . I will be submitting patch to ovs-dpdk for implementing dec_ttl action on dpdk datapath.
Good, thanks
> Regards,
> Bindiya
>
> On Tue, Dec 24, 2019 at 2:12 PM Tonghao Zhang <xiangxia.m.yue@...il.com> wrote:
>>
>> Hi Matteo,
>> Did you have plan to implement the TTL decrement action in userspace
>> datapath(with dpdk),
>> I am doing some research offloading about TTL decrement action, and
>> may sent patch TTL decrement offload action,
>> using dpdk rte_flow.
>>
>> On Fri, Dec 20, 2019 at 8:37 PM Matteo Croce <mcroce@...hat.com> wrote:
>> >
>> > On Tue, Dec 17, 2019 at 5:30 PM Nikolay Aleksandrov
>> > <nikolay@...ulusnetworks.com> wrote:
>> > >
>> > > On 17/12/2019 17:51, Matteo Croce wrote:
>> > > > New action to decrement TTL instead of setting it to a fixed value.
>> > > > This action will decrement the TTL and, in case of expired TTL, drop it
>> > > > or execute an action passed via a nested attribute.
>> > > > The default TTL expired action is to drop the packet.
>> > > >
>> > > > Supports both IPv4 and IPv6 via the ttl and hop_limit fields, respectively.
>> > > >
>> > > > Tested with a corresponding change in the userspace:
>> > > >
>> > > > # ovs-dpctl dump-flows
>> > > > in_port(2),eth(),eth_type(0x0800), packets:0, bytes:0, used:never, actions:dec_ttl{ttl<=1 action:(drop)},1,1
>> > > > in_port(1),eth(),eth_type(0x0800), packets:0, bytes:0, used:never, actions:dec_ttl{ttl<=1 action:(drop)},1,2
>> > > > in_port(1),eth(),eth_type(0x0806), packets:0, bytes:0, used:never, actions:2
>> > > > in_port(2),eth(),eth_type(0x0806), packets:0, bytes:0, used:never, actions:1
>> > > >
>> > > > # ping -c1 192.168.0.2 -t 42
>> > > > IP (tos 0x0, ttl 41, id 61647, offset 0, flags [DF], proto ICMP (1), length 84)
>> > > > 192.168.0.1 > 192.168.0.2: ICMP echo request, id 386, seq 1, length 64
>> > > > # ping -c1 192.168.0.2 -t 120
>> > > > IP (tos 0x0, ttl 119, id 62070, offset 0, flags [DF], proto ICMP (1), length 84)
>> > > > 192.168.0.1 > 192.168.0.2: ICMP echo request, id 388, seq 1, length 64
>> > > > # ping -c1 192.168.0.2 -t 1
>> > > > #
>> > > >
>> > > > Co-authored-by: Bindiya Kurle <bindiyakurle@...il.com>
>> > > > Signed-off-by: Bindiya Kurle <bindiyakurle@...il.com>
>> > > > Signed-off-by: Matteo Croce <mcroce@...hat.com>
>> > > > ---
>> > > > include/uapi/linux/openvswitch.h | 22 +++++++
>> > > > net/openvswitch/actions.c | 71 +++++++++++++++++++++
>> > > > net/openvswitch/flow_netlink.c | 105 +++++++++++++++++++++++++++++++
>> > > > 3 files changed, 198 insertions(+)
>> > > >
>> > >
>> > > Hi Matteo,
>> > >
>> > > [snip]
>> > > > +}
>> > > > +
>> > > > /* When 'last' is true, sample() should always consume the 'skb'.
>> > > > * Otherwise, sample() should keep 'skb' intact regardless what
>> > > > * actions are executed within sample().
>> > > > @@ -1176,6 +1201,44 @@ static int execute_check_pkt_len(struct datapath *dp, struct sk_buff *skb,
>> > > > nla_len(actions), last, clone_flow_key);
>> > > > }
>> > > >
>> > > > +static int execute_dec_ttl(struct sk_buff *skb, struct sw_flow_key *key)
>> > > > +{
>> > > > + int err;
>> > > > +
>> > > > + if (skb->protocol == htons(ETH_P_IPV6)) {
>> > > > + struct ipv6hdr *nh = ipv6_hdr(skb);
>> > > > +
>> > > > + err = skb_ensure_writable(skb, skb_network_offset(skb) +
>> > > > + sizeof(*nh));
>> > >
>> > > skb_ensure_writable() calls pskb_may_pull() which may reallocate so nh might become invalid.
>> > > It seems the IPv4 version below is ok as the ptr is reloaded.
>> > >
>> >
>> > Right
>> >
>> > > One q as I don't know ovs that much - can this action be called only with
>> > > skb->protocol == ETH_P_IP/IPV6 ? I.e. Are we sure that if it's not v6, then it must be v4 ?
>> > >
>> >
>> > I'm adding a check in validate_and_copy_dec_ttl() so only ipv4/ipv6
>> > packet will pass.
>> >
>> > Thanks,
>> >
>> > --
>> > Matteo Croce
>> > per aspera ad upstream
>> >
>> > _______________________________________________
>> > dev mailing list
>> > dev@...nvswitch.org
>> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Powered by blists - more mailing lists