lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87cc5180-4e84-753f-0acf-1c7a0fa8549d@mellanox.com>
Date:   Thu, 19 Mar 2020 18:47:07 +0200
From:   Paul Blakey <paulb@...lanox.com>
To:     Edward Cree <ecree@...arflare.com>,
        Pablo Neira Ayuso <pablo@...filter.org>,
        netfilter-devel@...r.kernel.org
Cc:     davem@...emloft.net, netdev@...r.kernel.org, ozsh@...lanox.com,
        majd@...lanox.com, saeedm@...lanox.com
Subject: Re: [PATCH net-next 6/6] netfilter: nf_flow_table: hardware offload
 support


On 19/03/2020 17:57, Edward Cree wrote:
> On 11/11/2019 23:29, Pablo Neira Ayuso wrote:
>> This patch adds the dataplane hardware offload to the flowtable
>> infrastructure. Three new flags represent the hardware state of this
>> flow:
>>
>> * FLOW_OFFLOAD_HW: This flow entry resides in the hardware.
>> * FLOW_OFFLOAD_HW_DYING: This flow entry has been scheduled to be remove
>>   from hardware. This might be triggered by either packet path (via TCP
>>   RST/FIN packet) or via aging.
>> * FLOW_OFFLOAD_HW_DEAD: This flow entry has been already removed from
>>   the hardware, the software garbage collector can remove it from the
>>   software flowtable.
>>
>> This patch supports for:
>>
>> * IPv4 only.
>> * Aging via FLOW_CLS_STATS, no packet and byte counter synchronization
>>   at this stage.
>>
>> This patch also adds the action callback that specifies how to convert
>> the flow entry into the flow_rule object that is passed to the driver.
>>
>> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> <snip>
>> +static int nf_flow_rule_match(struct nf_flow_match *match,
>> +			      const struct flow_offload_tuple *tuple)
>> +{
>> +	struct nf_flow_key *mask = &match->mask;
>> +	struct nf_flow_key *key = &match->key;
>> +
>> +	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control);
>> +	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic);
>> +	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4);
>> +	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp);
>> +	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp);
>> +
>> +	switch (tuple->l3proto) {
>> +	case AF_INET:
>> +		key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
> Is it intentional that mask->control.addr_type never gets set?
It should be set.
>
> -ed

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ