lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 11 Feb 2022 14:22:58 -0300
From:   Marcelo Ricardo Leitner <>
To:     Davide Caratti <>
Cc:     Jamal Hadi Salim <>,
        Cong Wang <>,
        Jiri Pirko <>,
        "David S. Miller" <>,
        Jakub Kicinski <>,,
        Oz Shlomo <>,
        Eelco Chaudron <>
Subject: Re: [PATCH net-next] net/sched: act_police: more accurate MTU

On Thu, Feb 10, 2022 at 06:56:08PM +0100, Davide Caratti wrote:
> in current Linux, MTU policing does not take into account that packets at
> the TC ingress have the L2 header pulled. Thus, the same TC police action
> (with the same value of tcfp_mtu) behaves differently for ingress/egress.
> In addition, the full GSO size is compared to tcfp_mtu: as a consequence,
> the policer drops GSO packets even when individual segments have the L2 +
> L3 + L4 + payload length below the configured valued of tcfp_mtu.
> Improve the accuracy of MTU policing as follows:
>  - account for mac_len for non-GSO packets at TC ingress.
>  - compare MTU threshold with the segmented size for GSO packets.
> Also, add a kselftest that verifies the correct behavior.
> Signed-off-by: Davide Caratti <>

Reviewed-by: Marcelo Ricardo Leitner <>

Powered by blists - more mailing lists