lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <26391932ab935fc0553238c101f6a1ceff0d11a5.camel@redhat.com> Date: Thu, 14 Sep 2023 09:30:18 +0200 From: Paolo Abeni <pabeni@...hat.com> To: Victor Nogueira <victor@...atatu.com>, jhs@...atatu.com, xiyou.wangcong@...il.com, jiri@...nulli.us, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org Cc: mleitner@...hat.com, vladbu@...dia.com, horms@...nel.org, pctammela@...atatu.com, netdev@...r.kernel.org, kernel@...atatu.com Subject: Re: [PATCH net-next v3 0/3] net/sched: Introduce tc block ports tracking and use On Mon, 2023-09-11 at 20:27 -0300, Victor Nogueira wrote: > __context__ > The "tc block" is a collection of netdevs/ports which allow qdiscs to share > match-action block instances (as opposed to the traditional tc filter per > netdev/port)[1]. > > Example setup: > $ tc qdisc add dev ens7 ingress block 22 > $ tc qdisc add dev ens8 ingress block 22 > > Once the block is created we can add a filter using the block index: > $ tc filter add block 22 protocol ip pref 25 \ > flower dst_ip 192.168.0.0/16 action drop > > A packet with dst IP matching 192.168.0.0/16 arriving on the ingress of > either ens7 or ens8 is dropped. > > __this patchset__ > Up to this point in the implementation, the block is unaware of its ports. > This patch fixes that and makes the tc block ports available to the > datapath. > > For the datapath we provide a use case of the tc block in an action > we call "blockcast" in patch 3. This action can be used in an example as > such: > > $ tc qdisc add dev ens7 ingress block 22 > $ tc qdisc add dev ens8 ingress block 22 > $ tc qdisc add dev ens9 ingress block 22 > $ tc filter add block 22 protocol ip pref 25 \ > flower dst_ip 192.168.0.0/16 action blockcast > > When a packet(matching dst IP 192.168.0.0/16) arrives on the ingress of any > of ens7, ens8 or ens9 it will be copied to all ports other than itself. > For example, if it arrives on ens8 then a copy of the packet will be > "blockcasted";-> to both ens7 and ens9 (unmodified), but not to ens7. Very minor typo above, "to ens7" should be "to ens8", I guess. Not worthy reposting for this anyway. Cheers, Paolo
Powered by blists - more mailing lists