lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 10 Oct 2020 15:42:26 +0200
From:   Toke Høiland-Jørgensen <toke@...hat.com>
To:     Daniel Borkmann <daniel@...earbox.net>,
        David Ahern <dsahern@...il.com>, ast@...com
Cc:     bpf@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH bpf-next v2] bpf_fib_lookup: optionally skip neighbour
 lookup

Daniel Borkmann <daniel@...earbox.net> writes:

> On 10/9/20 11:28 PM, David Ahern wrote:
>> On 10/9/20 11:42 AM, Toke Høiland-Jørgensen wrote:
>>> David Ahern <dsahern@...il.com> writes:
>>>> On 10/9/20 3:13 AM, Toke Høiland-Jørgensen wrote:
>>>>> The bpf_fib_lookup() helper performs a neighbour lookup for the destination
>>>>> IP and returns BPF_FIB_LKUP_NO_NEIGH if this fails, with the expectation
>>>>> that the BPF program will pass the packet up the stack in this case.
>>>>> However, with the addition of bpf_redirect_neigh() that can be used instead
>>>>> to perform the neighbour lookup, at the cost of a bit of duplicated work.
>>>>>
>>>>> For that we still need the target ifindex, and since bpf_fib_lookup()
>>>>> already has that at the time it performs the neighbour lookup, there is
>>>>> really no reason why it can't just return it in any case. So let's just
>>>>> always return the ifindex, and also add a flag that lets the caller turn
>>>>> off the neighbour lookup entirely in bpf_fib_lookup().
>>>>
>>>> seems really odd to do the fib lookup only to skip the neighbor lookup
>>>> and defer to a second helper to do a second fib lookup and send out.
>>>>
>>>> The better back-to-back calls is to return the ifindex and gateway on
>>>> successful fib lookup regardless of valid neighbor. If the call to
>>>> bpf_redirect_neigh is needed, it can have a flag to skip the fib lookup
>>>> and just redirect to the given nexthop address + ifindex. ie.,
>>>> bpf_redirect_neigh only does neighbor handling in this case.
>>>
>>> Hmm, yeah, I guess it would make sense to cache and reuse the lookup -
>>> maybe stick it in bpf_redirect_info()? However, given the imminent
>> 
>> That is not needed.
>> 
>>> opening of the merge window, I don't see this landing before then. So
>>> I'm going to respin this patch with just the original change to always
>>> return the ifindex, then we can revisit the flags/reuse of the fib
>>> lookup later.
>> 
>> What I am suggesting is a change in API to bpf_redirect_neigh which
>> should be done now, before the merge window, before it comes a locked
>> API. Right now, bpf_redirect_neigh does a lookup to get the nexthop. It
>> should take the gateway as an input argument. If set, then the lookup is
>> not done - only the neighbor redirect.
>
> Sounds like a reasonable extension, agree. API freeze is not merge win, but
> final v5.10 tag in this case as it always has been. In case it's not in time,
> we can simply just move flags to arg3 and add a reserved param as arg2 which
> must be zero (and thus indicate to perform the lookup as-is). Later we could
> extend to pass params similar as in fib_lookup helper for the gw.

Right, I can take a look at this next week. Feel free to merge (v3 of)
this patch now, that change will be needed in any case I think...

-Toke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ