lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 28 Aug 2020 11:16:06 -0700
From:   Cong Wang <>
To:     Marcelo Ricardo Leitner <>
Cc:     wenxu <>,
        Linux Kernel Network Developers <>,
        Jamal Hadi Salim <>,
        Paul Blakey <>, Oz Shlomo <>
Subject: Re: [PATCH net-next] net/sched: add act_ct_output support

On Tue, Aug 25, 2020 at 8:33 AM Marcelo Ricardo Leitner
<> wrote:
> I still don't understand Cong's argument for not having this on
> act_mirred because TC is L2. That's actually not right. TC hooks at L2

You miss a very important point that it is already too late to rename
act_mirred to reflect whatever new feature adding to it.

> but deals with L3 and L4 (after all, it does static NAT, mungles L4
> headers and classifies based on virtually anything) since beginning,
> and this is just another case.

So eventually you want TC to deal with all L3 stuff?? I think you are
exaggerating it, modifying L3/L4 headers does not mean it handles L3
protocol. But, doing IP layer fragmentation is clearly doing something
belongs to IP protocol. Look at the code, you never need to call into
IP layer code (except some trivial helpers) until you do CT or
fragmentation. This is why I do not like act_ct either, it fits oddly into

Why not just do segmentation instead of fragmentation? GSO is
already performed at L2 by software.


Powered by blists - more mailing lists