| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 27 Aug 2022 15:36:58 +0300
From: Nikolay Aleksandrov <razor@...ckwall.org>
To: nicolas.dichtel@...nd.com, Eyal Birger <eyal.birger@...il.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, steffen.klassert@...unet.com,
herbert@...dor.apana.org.au, dsahern@...nel.org,
contact@...elbtn.com, pablo@...filter.org, netdev@...r.kernel.org,
bpf@...r.kernel.org, "daniel@...earbox.net" <daniel@...earbox.net>
Subject: Re: [PATCH ipsec-next,v2 2/3] xfrm: interface: support collect
metadata mode
On 26/08/2022 10:53, Nicolas Dichtel wrote:
>
> Le 25/08/2022 à 17:14, Eyal Birger a écrit :
>> On Thu, Aug 25, 2022 at 5:24 PM Nikolay Aleksandrov <razor@...ckwall.org> wrote:
>>>
>>> On 25/08/2022 16:46, Eyal Birger wrote:
>>>> This commit adds support for 'collect_md' mode on xfrm interfaces.
>>>>
>>>> Each net can have one collect_md device, created by providing the
>>>> IFLA_XFRM_COLLECT_METADATA flag at creation. This device cannot be
>>>> altered and has no if_id or link device attributes.
>>>>
>>>> On transmit to this device, the if_id is fetched from the attached dst
>>>> metadata on the skb. If exists, the link property is also fetched from
>>>> the metadata. The dst metadata type used is METADATA_XFRM which holds
>>>> these properties.
>>>>
>>>> On the receive side, xfrmi_rcv_cb() populates a dst metadata for each
>>>> packet received and attaches it to the skb. The if_id used in this case is
>>>> fetched from the xfrm state, and the link is fetched from the incoming
>>>> device. This information can later be used by upper layers such as tc,
>>>> ebpf, and ip rules.
>>>>
>>>> Because the skb is scrubed in xfrmi_rcv_cb(), the attachment of the dst
>>>> metadata is postponed until after scrubing. Similarly, xfrm_input() is
>>>> adapted to avoid dropping metadata dsts by only dropping 'valid'
>>>> (skb_valid_dst(skb) == true) dsts.
>>>>
>>>> Policy matching on packets arriving from collect_md xfrmi devices is
>>>> done by using the xfrm state existing in the skb's sec_path.
>>>> The xfrm_if_cb.decode_cb() interface implemented by xfrmi_decode_session()
>>>> is changed to keep the details of the if_id extraction tucked away
>>>> in xfrm_interface.c.
>>>>
>>>> Signed-off-by: Eyal Birger <eyal.birger@...il.com>
>>>>
>>>> ----
>>>>
>>>> v2:
>>>> - add "link" property as suggested by Nicolas Dichtel
>>>> - rename xfrm_if_decode_session_params to xfrm_if_decode_session_result
>>>> ---
>>>
>>> (+CC Daniel)
>>>
>>> Hi,
>>> Generally I really like the idea, but I missed to comment the first round. :)
>>> A few comments below..
>>>
>>
>> Thanks for the review!
>>
>>>> include/net/xfrm.h | 11 +++-
>> <...snip...>
>>>>
>>>> static const struct nla_policy xfrmi_policy[IFLA_XFRM_MAX + 1] = {
>>>> - [IFLA_XFRM_LINK] = { .type = NLA_U32 },
>>>> - [IFLA_XFRM_IF_ID] = { .type = NLA_U32 },
>>>> + [IFLA_XFRM_UNSPEC] = { .strict_start_type = IFLA_XFRM_COLLECT_METADATA },
>>>> + [IFLA_XFRM_LINK] = { .type = NLA_U32 },
>>>
>>> link is signed, so s32
>>
>> Ack on all comments except this one - I'm a little hesitant to change
>> this one as the change would be unrelated to this series.
> I agree, it's unrelated to this series.
Ohh right, my bad. I somehow confused this for new code. :)
Cheers,
Nik
Powered by blists - more mailing lists