| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aafb3b96-dc50-8e9d-fdfe-4abb0e5a27f6@ucloud.cn>
Date: Mon, 2 Nov 2020 14:08:03 +0800
From: wenxu <wenxu@...oud.cn>
To: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Cc: Jakub Kicinski <kuba@...nel.org>,
Linux Kernel Network Developers <netdev@...r.kernel.org>,
Cong Wang <xiyou.wangcong@...il.com>,
Paul Blakey <paulb@...lanox.com>,
Oz Shlomo <ozsh@...lanox.com>,
Davide Caratti <dcaratti@...hat.com>
Subject: Re: [resend] Solution for the problem conntrack in tc subsystem
On 10/30/2020 6:59 AM, Marcelo Ricardo Leitner wrote:
> Cc'ing Cong, Paul, Oz and Davide.
>
> On Thu, Oct 29, 2020 at 10:22:04AM +0800, wenxu wrote:
>> Only do gso for the reassembly big packet is also can't fix all the
>> case such for icmp packet.
> Good point. And as we can't know that a fragment was for an icmp
> packet before defraging it, this is quite impactful.
>
>> So there are some proper solution for this problem. In the Internet
>> we can't avoid the fragment packets.
> I agree. One other idea is to add support for some hook to mirred,
> that gets executed before xmiting the packet. Then, when act_ct (or
> another specific act module, say act_frag, as act_ct might not be the
> only one interested in defragging in the future) gets loaded, it
> configs that hook.
>
> So that mirred would something like:
> if (xmit_hook)
> xmit_hook(skb, dev_queue_xmit);
> else
> dev_queue_xmit(skb);
> Even protect it with a static branch key.
>
Good idea, The act _mirror almost untouched.
The fragment function can be put in a common place for shared
by other modules.
>
> Marcelo
>
Powered by blists - more mailing lists