lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <d2c7815c-22a0-0004-5151-f3a43941af0a@iogearbox.net>
Date:   Wed, 22 Jan 2020 11:29:00 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Yoshiki Komachi <komachi.yoshiki@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Alexei Starovoitov <ast@...nel.org>,
        Martin KaFai Lau <kafai@...com>,
        Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
        Andrii Nakryiko <andriin@...com>,
        Petar Penkov <ppenkov.kernel@...il.com>
Cc:     netdev@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH v2 bpf 0/2] Fix the classification based on port ranges in
 bpf hook

On 1/17/20 8:05 AM, Yoshiki Komachi wrote:
> When I tried a test based on the selftest program for BPF flow dissector
> (test_flow_dissector.sh), I observed unexpected result as below:
> 
> $ tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \
> 	udp src_port 8-10 action drop
> $ tools/testing/selftests/bpf/test_flow_dissector -i 4 -f 9 -F
> inner.dest4: 127.0.0.1
> inner.source4: 127.0.0.3
> pkts: tx=10 rx=10
> 
> The last rx means the number of received packets. I expected rx=0 in this
> test (i.e., all received packets should have been dropped), but it resulted
> in acceptance.
> 
> Although the previous commit 8ffb055beae5 ("cls_flower: Fix the behavior
> using port ranges with hw-offload") added new flag and field toward filtering
> based on port ranges with hw-offload, it missed applying for BPF flow dissector
> then. As a result, BPF flow dissector currently stores data extracted from
> packets in incorrect field used for exact match whenever packets are classified
> by filters based on port ranges. Thus, they never match rules in such cases
> because flow dissector gives rise to generating incorrect flow keys.
> 
> This series fixes the issue by replacing incorrect flag and field with new
> ones in BPF flow dissector, and adds a test for filtering based on specified
> port ranges to the existing selftest program.
> 
> Changes in v2:
>   - set key_ports to NULL at the top of __skb_flow_bpf_to_target()
> 
> Yoshiki Komachi (2):
>    flow_dissector: Fix to use new variables for port ranges in bpf hook
>    selftests/bpf: Add test based on port range for BPF flow dissector
> 
>   net/core/flow_dissector.c                          |  9 ++++++++-
>   tools/testing/selftests/bpf/test_flow_dissector.sh | 14 ++++++++++++++
>   2 files changed, 22 insertions(+), 1 deletion(-)
> 

Applied, thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ