| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 May 2020 13:29:29 +0300
From: Paul Blakey <paulb@...lanox.com>
To: xiangxia.m.yue@...il.com, saeedm@...lanox.com, roid@...lanox.com,
gerlitz.or@...il.com
Cc: netdev@...r.kernel.org
Subject: Re: [PATCH v2 1/3] net/mlx5e: Implicitly decap the tunnel packet when
necessary
On 5/6/2020 5:16 AM, xiangxia.m.yue@...il.com wrote:
> From: Tonghao Zhang <xiangxia.m.yue@...il.com>
>
> The commit 0a7fcb78cc21 ("net/mlx5e: Support inner header rewrite with
> goto action"), will decapsulate the tunnel packets if there is a goto
> action in chain 0. But in some case, we don't want do that, for example:
>
> $ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 0 \
> flower enc_dst_ip 2.2.2.100 enc_dst_port 4789 \
> action goto chain 2
> $ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 2 \
> flower dst_mac 00:11:22:33:44:55 enc_src_ip 2.2.2.200 \
> enc_dst_ip 2.2.2.100 enc_dst_port 4789 enc_key_id 100 \
> action tunnel_key unset action mirred egress redirect dev enp130s0f0_0
> $ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 2 \
> flower dst_mac 00:11:22:33:44:66 enc_src_ip 2.2.2.200 \
> enc_dst_ip 2.2.2.100 enc_dst_port 4789 enc_key_id 200 \
> action tunnel_key unset action mirred egress redirect dev enp130s0f0_1
>
> In this patch, if there is a pedit action in chain, do the decapsulation action.
> if there are pedit and goto actions, do the decapsulation and id mapping action.
We can't do the decap only if there is a pedit action, we must be consistent for
the matches.
Consider the following rules:
tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 0 \
flower dst_ip 1.1.1.1 enc_src_ip 2.2.2.200 enc_dst_ip 2.2.2.100 \
enc_dst_port 4789 enc_key_id 100 dst_mac 00:11:22:33:44:55 \
action pedit ex munge ip dst set 3.1.1.1 \
action goto chain 1
# this will do DECAP + REWRITE (originally inner ip, now outter ip after decap) + GOTO
tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 0 \
flower dst_ip 1.1.1.2 enc_src_ip 2.2.2.200 enc_dst_ip 2.2.2.100 \
enc_dst_port 4789 enc_key_id 100 dst_mac 00:11:22:33:44:55 \
action goto chain 1
# this will just GOTO
tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 1 \
flower src_ip 1.1.1.192 enc_src_ip 2.2.2.200 enc_dst_ip 2.2.2.100 \
enc_dst_port 4789 enc_key_id 100 dst_mac 00:11:22:33:44:55 \
action pedit ex munge ip dst set 3.1.1.192 \
action goto chain 1
With your change, Match src_ip 1.1.1.192 here, should match inner headers or outter headers?
As we might have come from the decaped path (inner dst_ip 1.1.1.1) or not (inner dst_ip 1.1.1.2), depending on inner dst ip.
Alos, in tc the packet is already decapsulated by the tunnel device before it gets to tc ingress classification,
tunnel key unset just remove the tunnel info metadata so we can't match against it. It doesn't decapsulate it.
This flow:
$ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 2 \
flower action mirred egress redirect dev enp130s0f0_0
passes decapsulated packets to enp130s0f0_0, without specifying tunnel key unset.
We want to follow this implicit decapsulation.
[...]
> 9 test units:
> [1]:
> $ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 0 \
> flower enc_dst_ip 2.2.2.100 enc_dst_port 4789 \
> action goto chain 2
> $ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 2 \
> flower enc_src_ip 2.2.2.200 enc_dst_ip 2.2.2.100 \
> enc_dst_port 4789 enc_key_id 100 dst_mac 00:11:22:33:44:55 \
> action tunnel_key unset \
> action mirred egress redirect dev enp130s0f0_0
> [2]:
> $ tc filter add dev $VXLAN protocol ip
Powered by blists - more mailing lists