lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 2 Aug 2023 10:30:52 +0200
From: Davide Caratti <dcaratti@...hat.com>
To: Ido Schimmel <idosch@...dia.com>
Cc: netdev@...r.kernel.org, davem@...emloft.net, kuba@...nel.org,
	pabeni@...hat.com, edumazet@...gle.com, petrm@...dia.com,
	razor@...ckwall.org, mirsad.todorovac@....unizg.hr
Subject: Re: [PATCH net 13/17] selftests: forwarding: tc_tunnel_key: Make
 filters more specific

On Wed, Aug 02, 2023 at 10:51:14AM +0300, Ido Schimmel wrote:
> The test installs filters that match on various IP fragments (e.g., no
> fragment, first fragment) and expects a certain amount of packets to hit
> each filter. This is problematic as the filters are not specific enough
> and can match IP packets (e.g., IGMP) generated by the stack, resulting
> in failures [1].

[...]

> --- a/tools/testing/selftests/net/forwarding/tc_tunnel_key.sh
> +++ b/tools/testing/selftests/net/forwarding/tc_tunnel_key.sh
> @@ -104,11 +104,14 @@ tunnel_key_nofrag_test()
>  	local i
>  
>  	tc filter add dev $swp1 ingress protocol ip pref 100 handle 100 \
> -		flower ip_flags nofrag action drop
> +		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
> +		ip_flags nofrag action drop
>  	tc filter add dev $swp1 ingress protocol ip pref 101 handle 101 \
> -		flower ip_flags firstfrag action drop
> +		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
> +		ip_flags firstfrag action drop
>  	tc filter add dev $swp1 ingress protocol ip pref 102 handle 102 \
> -		flower ip_flags nofirstfrag action drop
> +		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
> +		ip_flags nofirstfrag action drop


hello Ido, my 2 cents:

is it safe to match on the UDP protocol without changing the mausezahn
command line? I see that it's generating generic IP packets at the
moment (i.e. it does '-t ip'). Maybe it's more robust to change
the test to generate ICMP and then match on the ICMP protocol?

thanks!
-- 
davide

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ