lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4972626e-c86d-8715-0565-20bed680227c@gmail.com>
Date:   Fri, 9 Oct 2020 14:28:02 -0700
From:   David Ahern <dsahern@...il.com>
To:     Toke Høiland-Jørgensen <toke@...hat.com>,
        daniel@...earbox.net, ast@...com
Cc:     bpf@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH bpf-next v2] bpf_fib_lookup: optionally skip neighbour
 lookup

On 10/9/20 11:42 AM, Toke Høiland-Jørgensen wrote:
> David Ahern <dsahern@...il.com> writes:
> 
>> On 10/9/20 3:13 AM, Toke Høiland-Jørgensen wrote:
>>> The bpf_fib_lookup() helper performs a neighbour lookup for the destination
>>> IP and returns BPF_FIB_LKUP_NO_NEIGH if this fails, with the expectation
>>> that the BPF program will pass the packet up the stack in this case.
>>> However, with the addition of bpf_redirect_neigh() that can be used instead
>>> to perform the neighbour lookup, at the cost of a bit of duplicated work.
>>>
>>> For that we still need the target ifindex, and since bpf_fib_lookup()
>>> already has that at the time it performs the neighbour lookup, there is
>>> really no reason why it can't just return it in any case. So let's just
>>> always return the ifindex, and also add a flag that lets the caller turn
>>> off the neighbour lookup entirely in bpf_fib_lookup().
>>
>> seems really odd to do the fib lookup only to skip the neighbor lookup
>> and defer to a second helper to do a second fib lookup and send out.
>>
>> The better back-to-back calls is to return the ifindex and gateway on
>> successful fib lookup regardless of valid neighbor. If the call to
>> bpf_redirect_neigh is needed, it can have a flag to skip the fib lookup
>> and just redirect to the given nexthop address + ifindex. ie.,
>> bpf_redirect_neigh only does neighbor handling in this case.
> 
> Hmm, yeah, I guess it would make sense to cache and reuse the lookup -
> maybe stick it in bpf_redirect_info()? However, given the imminent

That is not needed.

> opening of the merge window, I don't see this landing before then. So
> I'm going to respin this patch with just the original change to always
> return the ifindex, then we can revisit the flags/reuse of the fib
> lookup later.
> 

What I am suggesting is a change in API to bpf_redirect_neigh which
should be done now, before the merge window, before it comes a locked
API. Right now, bpf_redirect_neigh does a lookup to get the nexthop. It
should take the gateway as an input argument. If set, then the lookup is
not done - only the neighbor redirect.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ