lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20220728104746.GC18015@pc-4.home>
Date:   Thu, 28 Jul 2022 12:47:46 +0200
From:   Guillaume Nault <gnault@...hat.com>
To:     Wojciech Drewek <wojciech.drewek@...el.com>
Cc:     netdev@...r.kernel.org, dsahern@...il.com,
        stephen@...workplumber.org
Subject: Re: [PATCH iproute-next v2 3/3] f_flower: Introduce PPPoE support

On Thu, Jul 28, 2022 at 10:44:37AM +0200, Wojciech Drewek wrote:
> Introduce PPPoE specific fields in tc-flower:
> - session id (16 bits)
> - ppp protocol (16 bits)
> Those fields can be provided only when protocol was set to
> ETH_P_PPP_SES. ppp_proto works similar to vlan_ethtype, i.e.
> ppp_proto overwrites eth_type. Thanks to that, fields from
> encapsulated protocols (such as src_ip) can be specified.
> 
> e.g.
>   # tc filter add dev ens6f0 ingress prio 1 protocol ppp_ses \
>       flower \
>         pppoe_sid 1234 \
>         ppp_proto ip \
>         dst_ip 127.0.0.1 \
>         src_ip 127.0.0.2 \
>       action drop
> 
> Vlan and cvlan is also supported, in this case cvlan_ethtype
> or vlan_ethtype has to be set to ETH_P_PPP_SES.
> 
> e.g.
>   # tc filter add dev ens6f0 ingress prio 1 protocol 802.1Q \
>       flower \
>         vlan_id 2 \
>         vlan_ethtype ppp_ses \
>         pppoe_sid 1234 \
>         ppp_proto ip \
>         dst_ip 127.0.0.1 \
>         src_ip 127.0.0.2 \
>       action drop
> 
> Signed-off-by: Wojciech Drewek <wojciech.drewek@...el.com>
> ---
> v2: add pppoe fields to explain
> ---
>  include/uapi/linux/pkt_cls.h |  3 ++
>  man/man8/tc-flower.8         | 17 ++++++++++-
>  tc/f_flower.c                | 58 ++++++++++++++++++++++++++++++++++++
>  3 files changed, 77 insertions(+), 1 deletion(-)
> 
> diff --git a/include/uapi/linux/pkt_cls.h b/include/uapi/linux/pkt_cls.h
> index 9a2ee1e39fad..a67dcd8294c9 100644
> --- a/include/uapi/linux/pkt_cls.h
> +++ b/include/uapi/linux/pkt_cls.h
> @@ -589,6 +589,9 @@ enum {
>  
>  	TCA_FLOWER_KEY_NUM_OF_VLANS,    /* u8 */
>  
> +	TCA_FLOWER_KEY_PPPOE_SID,	/* u16 */
> +	TCA_FLOWER_KEY_PPP_PROTO,	/* be16 */
> +
>  	__TCA_FLOWER_MAX,
>  };
>  
> diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8
> index 523935242ccf..5e486ea31d37 100644
> --- a/man/man8/tc-flower.8
> +++ b/man/man8/tc-flower.8
> @@ -40,6 +40,10 @@ flower \- flow based traffic control filter
>  .IR PRIORITY " | "
>  .BR cvlan_ethtype " { " ipv4 " | " ipv6 " | "
>  .IR ETH_TYPE " } | "
> +.B pppoe_sid
> +.IR PSID " | "
> +.BR ppp_proto " { " ip " | " ipv6 " | " mpls_uc " | " mpls_mc " | "
> +.IR PPP_PROTO " } | "
>  .B mpls
>  .IR LSE_LIST " | "
>  .B mpls_label
> @@ -202,7 +206,18 @@ Match on QinQ layer three protocol.
>  may be either
>  .BR ipv4 ", " ipv6
>  or an unsigned 16bit value in hexadecimal format.
> -
> +.TP
> +.BI pppoe_sid " PSID"
> +Match on PPPoE session id.
> +.I PSID
> +is an unsigned 16bit value in decimal format.
> +.TP
> +.BI ppp_proto " PPP_PROTO"
> +Match on PPP layer three protocol.
> +.I PPP_PROTO
> +may be either
> +.BR ip ", " ipv6 ", " mpls_uc ", " mpls_mc
> +or an unsigned 16bit value in hexadecimal format.
>  .TP
>  .BI mpls " LSE_LIST"
>  Match on the MPLS label stack.
> diff --git a/tc/f_flower.c b/tc/f_flower.c
> index 622ec321f310..c95320328b20 100644
> --- a/tc/f_flower.c
> +++ b/tc/f_flower.c
> @@ -20,6 +20,7 @@
>  #include <linux/ip.h>
>  #include <linux/tc_act/tc_vlan.h>
>  #include <linux/mpls.h>
> +#include <linux/ppp_defs.h>
>  
>  #include "utils.h"
>  #include "tc_util.h"
> @@ -55,6 +56,8 @@ static void explain(void)
>  		"			cvlan_id VID |\n"
>  		"			cvlan_prio PRIORITY |\n"
>  		"			cvlan_ethtype [ ipv4 | ipv6 | ETH-TYPE ] |\n"
> +		"			pppoe_sid PSID |\n"
> +		"			ppp_proto [ ipv4 | ipv6 | mpls_uc | mpls_mc | PPP_PROTO ]"
>  		"			dst_mac MASKED-LLADDR |\n"
>  		"			src_mac MASKED-LLADDR |\n"
>  		"			ip_proto [tcp | udp | sctp | icmp | icmpv6 | IP-PROTO ] |\n"
> @@ -1887,6 +1890,43 @@ static int flower_parse_opt(struct filter_util *qu, char *handle,
>  				fprintf(stderr, "Illegal \"arp_sha\"\n");
>  				return -1;
>  			}
> +
> +		} else if (!strcmp(*argv, "pppoe_sid")) {
> +			__be16 sid;
> +
> +			NEXT_ARG();
> +			if (eth_type != htons(ETH_P_PPP_SES)) {
> +				fprintf(stderr,
> +					"Can't set \"pppoe_sid\" if ethertype isn't PPPoE session\n");
> +				return -1;
> +			}
> +			ret = get_be16(&sid, *argv, 10);
> +			if (ret < 0 || sid == 0xffff) {
> +				fprintf(stderr, "Illegal \"pppoe_sid\"\n");

I don't think it makes sense to reject sid == 0xffff.
One might want to early match and drop such invalid packets.

Powered by blists - more mailing lists