lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 24 Jul 2023 11:23:42 -0400
From: Aaron Conole <aconole@...hat.com>
To: Adrian Moreno <amorenoz@...hat.com>
Cc: netdev@...r.kernel.org,  dev@...nvswitch.org,  i.maximets@....org,
  eric@...ver.life
Subject: Re: [PATCH net-next 4/7] net: openvswitch: add misc error drop reasons

Adrian Moreno <amorenoz@...hat.com> writes:

> Use drop reasons from include/net/dropreason-core.h when a reasonable
> candidate exists.
>
> Signed-off-by: Adrian Moreno <amorenoz@...hat.com>
> ---
>  net/openvswitch/actions.c   | 17 ++++++++++-------
>  net/openvswitch/conntrack.c |  3 ++-
>  net/openvswitch/drop.h      |  6 ++++++
>  3 files changed, 18 insertions(+), 8 deletions(-)
>
> diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
> index 9279bb186e9f..42fa1e7eb912 100644
> --- a/net/openvswitch/actions.c
> +++ b/net/openvswitch/actions.c

Did you consider putting in a drop reason when one of the actions fails
setting err?  For example, if dec_ttl fails with some error other than
EHOSTUNREACH, it will drop into the kfree_skb() case... maybe we should
have an action_failed drop reason that can be passed there.

> @@ -782,7 +782,7 @@ static int ovs_vport_output(struct net *net, struct sock *sk,
>  	struct vport *vport = data->vport;
>  
>  	if (skb_cow_head(skb, data->l2_len) < 0) {
> -		kfree_skb(skb);
> +		kfree_skb_reason(skb, SKB_DROP_REASON_NOMEM);
>  		return -ENOMEM;
>  	}
>  
> @@ -853,6 +853,7 @@ static void ovs_fragment(struct net *net, struct vport *vport,
>  			 struct sk_buff *skb, u16 mru,
>  			 struct sw_flow_key *key)
>  {
> +	enum ovs_drop_reason reason;
>  	u16 orig_network_offset = 0;
>  
>  	if (eth_p_mpls(skb->protocol)) {
> @@ -862,6 +863,7 @@ static void ovs_fragment(struct net *net, struct vport *vport,
>  
>  	if (skb_network_offset(skb) > MAX_L2_LEN) {
>  		OVS_NLERR(1, "L2 header too long to fragment");
> +		reason = OVS_DROP_FRAG_L2_TOO_LONG;
>  		goto err;
>  	}
>  
> @@ -902,12 +904,13 @@ static void ovs_fragment(struct net *net, struct vport *vport,
>  		WARN_ONCE(1, "Failed fragment ->%s: eth=%04x, MRU=%d, MTU=%d.",
>  			  ovs_vport_name(vport), ntohs(key->eth.type), mru,
>  			  vport->dev->mtu);
> +		reason = OVS_DROP_FRAG_INVALID_PROTO;
>  		goto err;
>  	}
>  
>  	return;
>  err:
> -	kfree_skb(skb);
> +	kfree_skb_reason(skb, reason);
>  }
>  
>  static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port,
> @@ -934,10 +937,10 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port,
>  
>  			ovs_fragment(net, vport, skb, mru, key);
>  		} else {
> -			kfree_skb(skb);
> +			kfree_skb_reason(skb, SKB_DROP_REASON_PKT_TOO_BIG);
>  		}
>  	} else {
> -		kfree_skb(skb);
> +		kfree_skb_reason(skb, SKB_DROP_REASON_DEV_READY);
>  	}
>  }
>  
> @@ -1011,7 +1014,7 @@ static int dec_ttl_exception_handler(struct datapath *dp, struct sk_buff *skb,
>  		return clone_execute(dp, skb, key, 0, nla_data(actions),
>  				     nla_len(actions), true, false);
>  
> -	consume_skb(skb);
> +	kfree_skb_reason(skb, OVS_DROP_IP_TTL);
>  	return 0;
>  }
>  
> @@ -1564,7 +1567,7 @@ static int clone_execute(struct datapath *dp, struct sk_buff *skb,
>  		/* Out of per CPU action FIFO space. Drop the 'skb' and
>  		 * log an error.
>  		 */
> -		kfree_skb(skb);
> +		kfree_skb_reason(skb, OVS_DROP_DEFERRED_LIMIT);
>  
>  		if (net_ratelimit()) {
>  			if (actions) { /* Sample action */
> @@ -1616,7 +1619,7 @@ int ovs_execute_actions(struct datapath *dp, struct sk_buff *skb,
>  	if (unlikely(level > OVS_RECURSION_LIMIT)) {
>  		net_crit_ratelimited("ovs: recursion limit reached on datapath %s, probable configuration error\n",
>  				     ovs_dp_name(dp));
> -		kfree_skb(skb);
> +		kfree_skb_reason(skb, OVS_DROP_RECURSION_LIMIT);
>  		err = -ENETDOWN;
>  		goto out;
>  	}
> diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
> index fa955e892210..b03ebd4a8fae 100644
> --- a/net/openvswitch/conntrack.c
> +++ b/net/openvswitch/conntrack.c
> @@ -29,6 +29,7 @@
>  #include <net/netfilter/nf_conntrack_act_ct.h>
>  
>  #include "datapath.h"
> +#include "drop.h"
>  #include "conntrack.h"
>  #include "flow.h"
>  #include "flow_netlink.h"
> @@ -1035,7 +1036,7 @@ int ovs_ct_execute(struct net *net, struct sk_buff *skb,
>  
>  	skb_push_rcsum(skb, nh_ofs);
>  	if (err)
> -		kfree_skb(skb);
> +		kfree_skb_reason(skb, OVS_DROP_CONNTRACK);
>  	return err;
>  }
>  
> diff --git a/net/openvswitch/drop.h b/net/openvswitch/drop.h
> index 2440c836727f..744b8d1b93a3 100644
> --- a/net/openvswitch/drop.h
> +++ b/net/openvswitch/drop.h
> @@ -12,6 +12,12 @@
>  	R(OVS_DROP_EXPLICIT_ACTION)		\
>  	R(OVS_DROP_EXPLICIT_ACTION_ERROR)	\
>  	R(OVS_DROP_METER)			\
> +	R(OVS_DROP_RECURSION_LIMIT)		\
> +	R(OVS_DROP_DEFERRED_LIMIT)		\
> +	R(OVS_DROP_FRAG_L2_TOO_LONG)		\
> +	R(OVS_DROP_FRAG_INVALID_PROTO)		\
> +	R(OVS_DROP_CONNTRACK)			\
> +	R(OVS_DROP_IP_TTL)			\
>  	/* deliberate comment for trailing \ */
>  
>  enum ovs_drop_reason {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ