| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Jan 2020 11:29:00 +0100
From: Daniel Borkmann <daniel@...earbox.net>
To: Yoshiki Komachi <komachi.yoshiki@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Alexei Starovoitov <ast@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
Andrii Nakryiko <andriin@...com>,
Petar Penkov <ppenkov.kernel@...il.com>
Cc: netdev@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH v2 bpf 0/2] Fix the classification based on port ranges in
bpf hook
On 1/17/20 8:05 AM, Yoshiki Komachi wrote:
> When I tried a test based on the selftest program for BPF flow dissector
> (test_flow_dissector.sh), I observed unexpected result as below:
>
> $ tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \
> udp src_port 8-10 action drop
> $ tools/testing/selftests/bpf/test_flow_dissector -i 4 -f 9 -F
> inner.dest4: 127.0.0.1
> inner.source4: 127.0.0.3
> pkts: tx=10 rx=10
>
> The last rx means the number of received packets. I expected rx=0 in this
> test (i.e., all received packets should have been dropped), but it resulted
> in acceptance.
>
> Although the previous commit 8ffb055beae5 ("cls_flower: Fix the behavior
> using port ranges with hw-offload") added new flag and field toward filtering
> based on port ranges with hw-offload, it missed applying for BPF flow dissector
> then. As a result, BPF flow dissector currently stores data extracted from
> packets in incorrect field used for exact match whenever packets are classified
> by filters based on port ranges. Thus, they never match rules in such cases
> because flow dissector gives rise to generating incorrect flow keys.
>
> This series fixes the issue by replacing incorrect flag and field with new
> ones in BPF flow dissector, and adds a test for filtering based on specified
> port ranges to the existing selftest program.
>
> Changes in v2:
> - set key_ports to NULL at the top of __skb_flow_bpf_to_target()
>
> Yoshiki Komachi (2):
> flow_dissector: Fix to use new variables for port ranges in bpf hook
> selftests/bpf: Add test based on port range for BPF flow dissector
>
> net/core/flow_dissector.c | 9 ++++++++-
> tools/testing/selftests/bpf/test_flow_dissector.sh | 14 ++++++++++++++
> 2 files changed, 22 insertions(+), 1 deletion(-)
>
Applied, thanks!
Powered by blists - more mailing lists