lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 3 Sep 2021 18:52:26 -0400
From:   Jamal Hadi Salim <jhs@...atatu.com>
To:     Ido Schimmel <idosch@...sch.org>
Cc:     Boris Sukholitko <boris.sukholitko@...adcom.com>,
        netdev@...r.kernel.org, Jiri Pirko <jiri@...nulli.us>,
        Cong Wang <xiyou.wangcong@...il.com>,
        "David S . Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Vladimir Oltean <olteanv@...il.com>,
        Vadym Kochan <vadym.kochan@...ision.eu>,
        Ilya Lifshits <ilya.lifshits@...adcom.com>,
        tom Herbert <tom@...anda.io>,
        Felipe Magno de Almeida <felipe@...ertise.dev>,
        Pedro Tammela <pctammela@...atatu.com>
Subject: Re: [PATCH net-next] net/sched: cls_flower: Add orig_ethtype

On 2021-09-02 2:48 a.m., Ido Schimmel wrote:
> On Tue, Aug 31, 2021 at 09:18:16AM -0400, Jamal Hadi Salim wrote:
>> You have _not_ been unlucky - it is a design issue with flow dissector
>> and the wrapping around flower. Just waiting to happen for more
>> other use cases..
> 
> I agree. I think the fundamental problem is that flower does not set
> 'FLOW_DISSECTOR_F_STOP_AT_ENCAP' and simply lets the flow dissector
> parse as deep as possible. For example, 'dst_ip' will match on the
> inner most destination IP which is not intuitive and probably different
> than what most hardware implementations do.
> 
> This behavior is also very error prone because it means that if the
> kernel learns to dissect a new tunnel protocol, filters can be suddenly
> broken (match on outer field now matches on inner field).
> 

indeed, lots of ambiguity with multiple appearing headers of the same
type (eg ethernet/ethernet/ethernet or ip/ip/udp/vxlan/ip/...).

> I don't think that changing the default behavior is a solution as it can
> break user space. Maybe adding a 'stop_encap' flag to flower that user
> space will have to set?


Yes, this would work for the case of one simple rule that Boris posted
(small addition to user space).
For the rest of the data he was trying to match (ip headers) further
parsing would be needed before matching.
Unfortunately,  there is a lot of _ambiguity_ in those kind of
scenarios. Today's approach in TC is you pop some header then advance
the packet cursor - and the next rule picks up where the first one left 
off (i.e something like action "pppoe pop" would be needed).
The suggestion i made to Boris was to make it parse everything pppoe has
to offer in one rule - but that would not be advancing any skb data
pointers and would possibly require that one extra change i suggested
to set protocol to tp->protocol; such an approach is probably closest
to what hardware would do (i.e parse everything you need then match).
I am not sure which approach is less intrusive; imo, the challenge here
is perhaps the flow dissector is getting messy as a generic parser.
Maybe Tom and co can post patches for Panda which handles these
issues much more smoothly... Tom?

On your point on the hardware: interesting, guess I never thought of
possible inconsistencies. IIUC, as it stands today the software version
may end up having very different result than a supposedly equivalent
hw offload.
Would it make sense to make the hardware parsing also programmable
from software so there is consistency?

cheers,
jamal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ