| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Feb 2022 14:22:58 -0300
From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To: Davide Caratti <dcaratti@...hat.com>
Cc: Jamal Hadi Salim <jhs@...atatu.com>,
Cong Wang <xiyou.wangcong@...il.com>,
Jiri Pirko <jiri@...nulli.us>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
Oz Shlomo <ozsh@...dia.com>,
Eelco Chaudron <echaudro@...hat.com>
Subject: Re: [PATCH net-next] net/sched: act_police: more accurate MTU
policing
On Thu, Feb 10, 2022 at 06:56:08PM +0100, Davide Caratti wrote:
> in current Linux, MTU policing does not take into account that packets at
> the TC ingress have the L2 header pulled. Thus, the same TC police action
> (with the same value of tcfp_mtu) behaves differently for ingress/egress.
> In addition, the full GSO size is compared to tcfp_mtu: as a consequence,
> the policer drops GSO packets even when individual segments have the L2 +
> L3 + L4 + payload length below the configured valued of tcfp_mtu.
>
> Improve the accuracy of MTU policing as follows:
> - account for mac_len for non-GSO packets at TC ingress.
> - compare MTU threshold with the segmented size for GSO packets.
> Also, add a kselftest that verifies the correct behavior.
>
> Signed-off-by: Davide Caratti <dcaratti@...hat.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Powered by blists - more mailing lists