lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 17 Aug 2020 07:19:17 -0400
From:   Jamal Hadi Salim <jhs@...atatu.com>
To:     Cong Wang <xiyou.wangcong@...il.com>
Cc:     David Miller <davem@...emloft.net>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>,
        Jiri Pirko <jiri@...nulli.us>,
        Ariel Levkovich <lariel@...lanox.com>
Subject: Re: [PATCH net-next 1/1] net/sched: Introduce skb hash classifier

On 2020-08-16 2:59 p.m., Cong Wang wrote:
> On Thu, Aug 13, 2020 at 5:52 AM Jamal Hadi Salim <jhs@...atatu.com> wrote:


[..]
>> How do you know whether to use hash or mark or both
>> for that specific key?
> 
> Hmm, you can just unconditionally pass skb->hash and skb->mark,
> no? Something like:
> 
> if (filter_parameter_has_hash) {
>      match skb->hash with cls->param_hash
> }
> 
> if (filter_parameter_has_mark) {
>      match skb->mark with cls->param_mark
> }
> 
 >
> fw_classify() uses skb->mark unconditionally anyway, without checking
> whether it is set or not first.
> 

There is no ambiguity of intent in the fw case, there is only one field.
In the case of having multiple fields it is ambigious if you 
unconditionally look.

Example: policy says to match skb mark of 5 and hash of 3.
If packet arrives with skb->mark is 5 and skb->hash is 3
very clearly matched the intent of the policy.
If packet arrives withj skb->mark 7 and hash 3 it clearly
did not match the intent. etc.

> But if filters were put in a global hashtable, the above would be
> much harder to implement.
> 

Ok, yes. My assumption has been you will have some global shared
structure where all filters will be installed on.

I think i may have misunderstood all along what you were saying
which is:

a) add the rules so they are each _independent with different
    priorities_ in a chain.

b)  when i do lookup for packet arrival, i will only see a filter
  that matches "match mark 5 and hash 3" (meaning there is no
  ambiguity on intent). If packet data doesnt match policy then
  i will iterate to another filter on the chain list with lower
  priority.

Am i correct in my understanding?

If i am - then we still have a problem with lookup scale in presence
of a large number of filters since essentially this approach
is linear lookup (similar problem iptables has). I am afraid
a hash table or something with similar principle goals is needed.

> 
>> You can probably do some trick but I cant think of a cheap way to
>> achieve this goal. Of course this issue doesnt exist if you have
>> separate classifiers.
>>
>> 2) If you decide tomorrow to add tcindex/prio etc, you will have to
>> rework this as well.
>>
>> #2 is not as a big deal as #1.
> 
> Well, I think #2 is more serious than #1, if we have to use a hashtable.
> (If we don't have to, then it would be much easier to extend, of course.)
>

In both cases youd have to extend the existing code.

cheers,
jamal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ