lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87v9fjckcd.fsf@toke.dk>
Date:   Fri, 09 Oct 2020 20:42:10 +0200
From:   Toke Høiland-Jørgensen <toke@...hat.com>
To:     David Ahern <dsahern@...il.com>, daniel@...earbox.net, ast@...com
Cc:     bpf@...r.kernel.org, netdev@...r.kernel.org,
        David Ahern <dsahern@...il.com>
Subject: Re: [PATCH bpf-next v2] bpf_fib_lookup: optionally skip neighbour
 lookup

David Ahern <dsahern@...il.com> writes:

> On 10/9/20 3:13 AM, Toke Høiland-Jørgensen wrote:
>> The bpf_fib_lookup() helper performs a neighbour lookup for the destination
>> IP and returns BPF_FIB_LKUP_NO_NEIGH if this fails, with the expectation
>> that the BPF program will pass the packet up the stack in this case.
>> However, with the addition of bpf_redirect_neigh() that can be used instead
>> to perform the neighbour lookup, at the cost of a bit of duplicated work.
>> 
>> For that we still need the target ifindex, and since bpf_fib_lookup()
>> already has that at the time it performs the neighbour lookup, there is
>> really no reason why it can't just return it in any case. So let's just
>> always return the ifindex, and also add a flag that lets the caller turn
>> off the neighbour lookup entirely in bpf_fib_lookup().
>
> seems really odd to do the fib lookup only to skip the neighbor lookup
> and defer to a second helper to do a second fib lookup and send out.
>
> The better back-to-back calls is to return the ifindex and gateway on
> successful fib lookup regardless of valid neighbor. If the call to
> bpf_redirect_neigh is needed, it can have a flag to skip the fib lookup
> and just redirect to the given nexthop address + ifindex. ie.,
> bpf_redirect_neigh only does neighbor handling in this case.

Hmm, yeah, I guess it would make sense to cache and reuse the lookup -
maybe stick it in bpf_redirect_info()? However, given the imminent
opening of the merge window, I don't see this landing before then. So
I'm going to respin this patch with just the original change to always
return the ifindex, then we can revisit the flags/reuse of the fib
lookup later.

-Toke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ