lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 6 Apr 2022 10:31:10 -0700
From:   Jakub Kicinski <kuba@...nel.org>
To:     Mattias Forsblad <mattias.forsblad@...il.com>
Cc:     netdev@...r.kernel.org, Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        Vladimir Oltean <olteanv@...il.com>,
        "David S . Miller" <davem@...emloft.net>,
        Paolo Abeni <pabeni@...hat.com>,
        Tobias Waldekranz <tobias@...dekranz.com>
Subject: Re: [PATCH v3 net-next 0/2] net: tc: dsa: Implement offload of
 matchall for bridged DSA ports

On Wed, 6 Apr 2022 11:24:46 +0200 Mattias Forsblad wrote:
> On 2022-04-06 03:09, Jakub Kicinski wrote:
> > On Mon,  4 Apr 2022 12:48:24 +0200 Mattias Forsblad wrote:  
> >> Limitations
> >> If there is tc rules on a bridge and all the ports leave the bridge
> >> and then joins the bridge again, the indirect framwork doesn't seem
> >> to reoffload them at join. The tc rules need to be torn down and
> >> re-added.  
> > 
> > You should unregister your callback when last DSA port leaves and
> > re-register when first joins. That way you'll get replay.
> >   
> 
> So I've tried that and it partially works. I get the FLOW_BLOCK_BIND
> callback but tcf_action_reoffload_cb() bails out here (tc_act_bind() == 1):
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/sched/act_api.c?h=v5.18-rc1#n1819
> 
> B.c. that flag is set here:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/sched/cls_api.c?h=v5.18-rc1#n3088
> 
> I cannot say I fully understand this logic. Can you perhaps advise?

tcf_action_reoffload_cb() is for action-as-first-class-citizen offload.
I think you should get the reply thru tcf_block_playback_offloads().
But I haven't really kept up with the TC offloads, non-zero chance
they got broken :/

> > Also the code needs to check the matchall is highest prio.  
> 
> Isn't sufficient with this check?
> 
> 	else if (flow_offload_has_one_action(&cls->rule->action) &&
> 		 cls->rule->action.entries[0].id == FLOW_ACTION_DROP)
> 		err = dsa_slave_add_cls_matchall_drop(dev, cls, ingress);
> 
> If it only has one action is must be the highest priority or am I 
> missing something?

That just checks there is a single action on the rule.
There could be multiple rules, adding something like:

	if (flow->common.prio != 1)
		goto bail;

is what I had in mind.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ