| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211001084058.GA5460@katalix.com>
Date: Fri, 1 Oct 2021 09:40:59 +0100
From: Tom Parkin <tparkin@...alix.com>
To: Eyal Birger <eyal.birger@...il.com>
Cc: jchapman@...alix.com, netdev@...r.kernel.org
Subject: Re: [RFC PATCH net-next 0/3] support "flow-based" datapath in l2tp
On Wed, Sep 29, 2021 at 13:03:21 +0300, Eyal Birger wrote:
> Hi Tom,
>
> On 29/09/2021 12:45, Tom Parkin wrote:
> ...
> > The skb is then redirected to the tunnel virtual netdev: tc rules
> > can then be added to match traffic based on the session ID and
> > redirect it to the correct interface:
> >
> > tc qdisc add dev l2tpt1 handle ffff: ingress
> > tc filter add dev l2tpt1 \
> > parent ffff: \
> > flower enc_key_id 1 \
> > action mirred egress redirect dev eth0
> >
> > In the case that no tc rule matches an incoming packet, the tunnel
> > virtual device implements an rx handler which swallows the packet
> > in order to prevent it continuing through the network stack.
>
> There are other ways to utilize the tunnel key on rx, e.g. in ip rules.
>
> IMHO it'd be nicer if the decision to drop would be an administrator
> decision which they can implement using a designated tc drop rule.
Good point, and one I hadn't considered.
My concern with letting the packet enter the stack is that it could
possibly cause issues, but maybe it's better to allow the admin to
make that call.
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists