| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e80f14c5-4ca4-55b0-57e0-108fb73fb828@6wind.com>
Date: Fri, 26 Aug 2022 09:53:30 +0200
From: Nicolas Dichtel <nicolas.dichtel@...nd.com>
To: Eyal Birger <eyal.birger@...il.com>,
Nikolay Aleksandrov <razor@...ckwall.org>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, steffen.klassert@...unet.com,
herbert@...dor.apana.org.au, dsahern@...nel.org,
contact@...elbtn.com, pablo@...filter.org, netdev@...r.kernel.org,
bpf@...r.kernel.org, "daniel@...earbox.net" <daniel@...earbox.net>
Subject: Re: [PATCH ipsec-next,v2 2/3] xfrm: interface: support collect
metadata mode
Le 25/08/2022 à 17:14, Eyal Birger a écrit :
> On Thu, Aug 25, 2022 at 5:24 PM Nikolay Aleksandrov <razor@...ckwall.org> wrote:
>>
>> On 25/08/2022 16:46, Eyal Birger wrote:
>>> This commit adds support for 'collect_md' mode on xfrm interfaces.
>>>
>>> Each net can have one collect_md device, created by providing the
>>> IFLA_XFRM_COLLECT_METADATA flag at creation. This device cannot be
>>> altered and has no if_id or link device attributes.
>>>
>>> On transmit to this device, the if_id is fetched from the attached dst
>>> metadata on the skb. If exists, the link property is also fetched from
>>> the metadata. The dst metadata type used is METADATA_XFRM which holds
>>> these properties.
>>>
>>> On the receive side, xfrmi_rcv_cb() populates a dst metadata for each
>>> packet received and attaches it to the skb. The if_id used in this case is
>>> fetched from the xfrm state, and the link is fetched from the incoming
>>> device. This information can later be used by upper layers such as tc,
>>> ebpf, and ip rules.
>>>
>>> Because the skb is scrubed in xfrmi_rcv_cb(), the attachment of the dst
>>> metadata is postponed until after scrubing. Similarly, xfrm_input() is
>>> adapted to avoid dropping metadata dsts by only dropping 'valid'
>>> (skb_valid_dst(skb) == true) dsts.
>>>
>>> Policy matching on packets arriving from collect_md xfrmi devices is
>>> done by using the xfrm state existing in the skb's sec_path.
>>> The xfrm_if_cb.decode_cb() interface implemented by xfrmi_decode_session()
>>> is changed to keep the details of the if_id extraction tucked away
>>> in xfrm_interface.c.
>>>
>>> Signed-off-by: Eyal Birger <eyal.birger@...il.com>
>>>
>>> ----
>>>
>>> v2:
>>> - add "link" property as suggested by Nicolas Dichtel
>>> - rename xfrm_if_decode_session_params to xfrm_if_decode_session_result
>>> ---
>>
>> (+CC Daniel)
>>
>> Hi,
>> Generally I really like the idea, but I missed to comment the first round. :)
>> A few comments below..
>>
>
> Thanks for the review!
>
>>> include/net/xfrm.h | 11 +++-
> <...snip...>
>>>
>>> static const struct nla_policy xfrmi_policy[IFLA_XFRM_MAX + 1] = {
>>> - [IFLA_XFRM_LINK] = { .type = NLA_U32 },
>>> - [IFLA_XFRM_IF_ID] = { .type = NLA_U32 },
>>> + [IFLA_XFRM_UNSPEC] = { .strict_start_type = IFLA_XFRM_COLLECT_METADATA },
>>> + [IFLA_XFRM_LINK] = { .type = NLA_U32 },
>>
>> link is signed, so s32
>
> Ack on all comments except this one - I'm a little hesitant to change
> this one as the change would be unrelated to this series.
I agree, it's unrelated to this series.
Powered by blists - more mailing lists