lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220823154557.1400380-1-eyal.birger@gmail.com> Date: Tue, 23 Aug 2022 18:45:54 +0300 From: Eyal Birger <eyal.birger@...il.com> To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, steffen.klassert@...unet.com, herbert@...dor.apana.org.au, pablo@...filter.org, contact@...elbtn.com, dsahern@...nel.org Cc: netdev@...r.kernel.org, bpf@...r.kernel.org, devel@...ux-ipsec.org, Eyal Birger <eyal.birger@...il.com> Subject: [PATCH ipsec-next 0/3] xfrm: support collect metadata mode for xfrm interfaces This series adds support for "collect_md" mode in XFRM interfaces. This feature is useful for maintaining a large number of IPsec connections with the benefits of using a network interface while reducing the overhead of maintaining a large number of devices. Currently this is possible by having multiple connections share a common interface by sharing the if_id identifier and using some other criteria to distinguish between them - such as different subnets or skb marks. This becomes complex in multi-tenant environments where subnets collide and the mark space is used for other purposes. Since the xfrm interface uses the if_id as the differentiator when looking for policies, setting the if_id in the dst_metadata framework allows using a single interface for different connections while having the ability to selectively steer traffic to each one. The series is composed of the following steps: - Introduce a new METADATA_XFRM metadata type to be used for this purpose. Reuse of the existing "METADATA_IP_TUNNEL" type was rejected in [0] as XFRM does not necessarily represent an IP tunnel. - Add support for collect metadata mode in xfrm interfaces - Allow setting the XFRM metadata from the LWT infrastructure Future additions could allow setting/getting the XFRM metadata from eBPF programs, TC, OVS, NF, etc. [0] https://patchwork.kernel.org/project/netdevbpf/patch/20201121142823.3629805-1-eyal.birger@gmail.com/#23824575 Eyal Birger (3): net: allow storing xfrm interface metadata in metadata_dst xfrm: interface: support collect metadata mode xfrm: lwtunnel: add lwtunnel support for xfrm interfaces in collect_md mode include/net/dst_metadata.h | 25 +++++ include/net/xfrm.h | 11 +- include/uapi/linux/if_link.h | 1 + include/uapi/linux/lwtunnel.h | 9 ++ net/core/lwtunnel.c | 1 + net/xfrm/xfrm_input.c | 7 +- net/xfrm/xfrm_interface.c | 203 ++++++++++++++++++++++++++++++---- net/xfrm/xfrm_policy.c | 10 +- 8 files changed, 239 insertions(+), 28 deletions(-) -- 2.34.1
Powered by blists - more mailing lists