| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <435e4756-f36a-f0f5-0ac5-45bd5cacaff2@ucloud.cn>
Date: Thu, 29 Oct 2020 10:22:04 +0800
From: wenxu <wenxu@...oud.cn>
To: Jakub Kicinski <kuba@...nel.org>,
Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Cc: Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: [resend] Solution for the problem conntrack in tc subsystem
Hi,
Currently kernel tc subsystem can do conntrack things in cat_ct. But there is a problem need
to fix. For several fragment packets handle in act_ct. The tcf_ct_handle_fragments will defrag
the packets to a big one. But the after action will redirect mirror to a device which maybe lead
the reassembly big packet over the mtu of target device.
The proposal "net/sched: act_mirred: fix fragment the packet after defrag in act_ct"
http://patchwork.ozlabs.org/project/netdev/patch/1593485646-14989-1-git-send-email-wenxu@ucloud.cn/
is not been accepted.
another proposal "net/sched: add act_ct_output support"
http://patchwork.ozlabs.org/project/netdev/patch/1598335663-26503-1-git-send-email-wenxu@ucloud.cn/
is also not a good solution. There are some duplicate codes for this and act_mirred.
Something other proposal like add the act_fragment also can't be work. The fragment will make
The big packet to several ones and can't be handle in the tc pipe. And also this is not friendly for
user to explicitly add action for fragment.
Only do gso for the reassembly big packet is also can't fix all the case such for icmp packet.
So there are some proper solution for this problem. In the Internet we can't avoid the fragment packets.
BR
wenxu
Powered by blists - more mailing lists