lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1590611130-19146-1-git-send-email-jbaron@akamai.com>
Date:   Wed, 27 May 2020 16:25:28 -0400
From:   Jason Baron <jbaron@...mai.com>
To:     davem@...emloft.net
Cc:     netdev@...r.kernel.org, jhs@...atatu.com, xiyou.wangcong@...il.com,
        jiri@...nulli.us
Subject: [net-next 0/2] net: sched: cls-flower: add support for port-based fragment filtering

Port based allow rules must currently allow all fragments since the
port number is not included in the 1rst fragment. We want to restrict
allowing all fragments by inclucding the port number in the 1rst
fragments.

For example, we can now allow fragments for only port 80 via:

# tc filter add dev $DEVICE parent ffff: priority 1 protocol ipv4 flower
  ip_proto tcp dst_port 80 action pass
# tc filter add dev $DEVICE parent ffff: priority 2 protocol ipv4 flower
  ip_flags frag/nofirstfrag action pass

The first patch includes ports for 1rst fragments.
The second patch adds test cases, demonstrating the new behavior.

Jason Baron (2):
  net: sched: cls-flower: include ports in 1rst fragment
  selftests: tc_flower: add destination port tests

 net/core/flow_dissector.c                          |  4 +-
 net/sched/cls_flower.c                             |  3 +-
 .../testing/selftests/net/forwarding/tc_flower.sh  | 73 +++++++++++++++++++++-
 3 files changed, 77 insertions(+), 3 deletions(-)

-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ