lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu,  4 Nov 2021 16:42:05 +0200
From:   Anssi Hannula <anssi.hannula@...wise.fi>
To:     netdev@...r.kernel.org
Cc:     stephen@...workplumber.org, Phil Sutter <phil@....cc>,
        Hiroaki SHIMODA <shimoda.hiroaki@...il.com>
Subject: [PATCH iproute2] man: tc-u32: Fix page to match new firstfrag behavior

Commit 690b11f4a6b8 ("tc: u32: Fix firstfrag filter.") applied in 2012
changed the "ip firstfrag" selector to not match non-fragmented packets
anymore.

However, the documentation added in f15a23966fff ("tc: add a man page
for u32 filter") in 2015 includes an example that relies on the previous
behavior (non-fragmented packet counted as first fragment).

Due to this, the example does not work correctly and does not actually
classify regular SSH packets.

Modify the example to use a raw u16 selector on the fragment offset to
make it work, and also make the firstfrag description more clear about
the current behavior.

Fixes: f15a23966fff ("tc: add a man page for u32 filter")
Signed-off-by: Anssi Hannula <anssi.hannula@...wise.fi>
Cc: Phil Sutter <phil@....cc>
Cc: Hiroaki SHIMODA <shimoda.hiroaki@...il.com>
---

I suspect the original behavior was intentional, but the new one has
been out for 9 years now so I guess it is too late to change again.

 man/man8/tc-u32.8 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/man/man8/tc-u32.8 b/man/man8/tc-u32.8
index fec9af7f..507589bd 100644
--- a/man/man8/tc-u32.8
+++ b/man/man8/tc-u32.8
@@ -427,7 +427,7 @@ Also minimal header size for IPv4 and lack of IPv6 extension headers is assumed.
 IPv4 only, check certain flags and fragment offset values. Match if the packet
 is not a fragment
 .RB ( nofrag ),
-the first fragment
+the first fragment of a fragmented packet
 .RB ( firstfrag ),
 if Don't Fragment
 .RB ( df )
@@ -644,7 +644,7 @@ tc filter add dev eth0 parent 1:0 protocol ip \\
 tc filter add dev eth0 parent 1:0 protocol ip \\
         u32 ht 800: \\
         match ip protocol 6 FF \\
-        match ip firstfrag \\
+        match u16 0 1fff at 6 \\
         offset at 0 mask 0f00 shift 6 \\
         link 1:
 .EE
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ