| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201029225936.GM3837@localhost.localdomain>
Date: Thu, 29 Oct 2020 19:59:36 -0300
From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To: wenxu <wenxu@...oud.cn>
Cc: Jakub Kicinski <kuba@...nel.org>,
Linux Kernel Network Developers <netdev@...r.kernel.org>,
Cong Wang <xiyou.wangcong@...il.com>,
Paul Blakey <paulb@...lanox.com>,
Oz Shlomo <ozsh@...lanox.com>,
Davide Caratti <dcaratti@...hat.com>
Subject: Re: [resend] Solution for the problem conntrack in tc subsystem
Cc'ing Cong, Paul, Oz and Davide.
On Thu, Oct 29, 2020 at 10:22:04AM +0800, wenxu wrote:
> Only do gso for the reassembly big packet is also can't fix all the
> case such for icmp packet.
Good point. And as we can't know that a fragment was for an icmp
packet before defraging it, this is quite impactful.
>
> So there are some proper solution for this problem. In the Internet
> we can't avoid the fragment packets.
I agree. One other idea is to add support for some hook to mirred,
that gets executed before xmiting the packet. Then, when act_ct (or
another specific act module, say act_frag, as act_ct might not be the
only one interested in defragging in the future) gets loaded, it
configs that hook.
So that mirred would something like:
if (xmit_hook)
xmit_hook(skb, dev_queue_xmit);
else
dev_queue_xmit(skb);
Even protect it with a static branch key.
This leaves mirred almost untouched, 0 performance penalty for those
that don't use act_ct, can even have a Kconfig knob, is not CT or
ipfrag specific code on mirred so it's reusable later on and solves
our problem here. Thoughts?
Marcelo
Powered by blists - more mailing lists