| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 May 2020 16:25:28 -0400
From: Jason Baron <jbaron@...mai.com>
To: davem@...emloft.net
Cc: netdev@...r.kernel.org, jhs@...atatu.com, xiyou.wangcong@...il.com,
jiri@...nulli.us
Subject: [net-next 0/2] net: sched: cls-flower: add support for port-based fragment filtering
Port based allow rules must currently allow all fragments since the
port number is not included in the 1rst fragment. We want to restrict
allowing all fragments by inclucding the port number in the 1rst
fragments.
For example, we can now allow fragments for only port 80 via:
# tc filter add dev $DEVICE parent ffff: priority 1 protocol ipv4 flower
ip_proto tcp dst_port 80 action pass
# tc filter add dev $DEVICE parent ffff: priority 2 protocol ipv4 flower
ip_flags frag/nofirstfrag action pass
The first patch includes ports for 1rst fragments.
The second patch adds test cases, demonstrating the new behavior.
Jason Baron (2):
net: sched: cls-flower: include ports in 1rst fragment
selftests: tc_flower: add destination port tests
net/core/flow_dissector.c | 4 +-
net/sched/cls_flower.c | 3 +-
.../testing/selftests/net/forwarding/tc_flower.sh | 73 +++++++++++++++++++++-
3 files changed, 77 insertions(+), 3 deletions(-)
--
2.7.4
Powered by blists - more mailing lists