lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 10 Oct 2020 01:05:34 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     David Ahern <dsahern@...il.com>,
        Toke Høiland-Jørgensen 
        <toke@...hat.com>, ast@...com
Cc:     bpf@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH bpf-next v2] bpf_fib_lookup: optionally skip neighbour
 lookup

On 10/9/20 11:28 PM, David Ahern wrote:
> On 10/9/20 11:42 AM, Toke Høiland-Jørgensen wrote:
>> David Ahern <dsahern@...il.com> writes:
>>> On 10/9/20 3:13 AM, Toke Høiland-Jørgensen wrote:
>>>> The bpf_fib_lookup() helper performs a neighbour lookup for the destination
>>>> IP and returns BPF_FIB_LKUP_NO_NEIGH if this fails, with the expectation
>>>> that the BPF program will pass the packet up the stack in this case.
>>>> However, with the addition of bpf_redirect_neigh() that can be used instead
>>>> to perform the neighbour lookup, at the cost of a bit of duplicated work.
>>>>
>>>> For that we still need the target ifindex, and since bpf_fib_lookup()
>>>> already has that at the time it performs the neighbour lookup, there is
>>>> really no reason why it can't just return it in any case. So let's just
>>>> always return the ifindex, and also add a flag that lets the caller turn
>>>> off the neighbour lookup entirely in bpf_fib_lookup().
>>>
>>> seems really odd to do the fib lookup only to skip the neighbor lookup
>>> and defer to a second helper to do a second fib lookup and send out.
>>>
>>> The better back-to-back calls is to return the ifindex and gateway on
>>> successful fib lookup regardless of valid neighbor. If the call to
>>> bpf_redirect_neigh is needed, it can have a flag to skip the fib lookup
>>> and just redirect to the given nexthop address + ifindex. ie.,
>>> bpf_redirect_neigh only does neighbor handling in this case.
>>
>> Hmm, yeah, I guess it would make sense to cache and reuse the lookup -
>> maybe stick it in bpf_redirect_info()? However, given the imminent
> 
> That is not needed.
> 
>> opening of the merge window, I don't see this landing before then. So
>> I'm going to respin this patch with just the original change to always
>> return the ifindex, then we can revisit the flags/reuse of the fib
>> lookup later.
> 
> What I am suggesting is a change in API to bpf_redirect_neigh which
> should be done now, before the merge window, before it comes a locked
> API. Right now, bpf_redirect_neigh does a lookup to get the nexthop. It
> should take the gateway as an input argument. If set, then the lookup is
> not done - only the neighbor redirect.

Sounds like a reasonable extension, agree. API freeze is not merge win, but
final v5.10 tag in this case as it always has been. In case it's not in time,
we can simply just move flags to arg3 and add a reserved param as arg2 which
must be zero (and thus indicate to perform the lookup as-is). Later we could
extend to pass params similar as in fib_lookup helper for the gw.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ