lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4635a45e-7e49-4ffb-a769-8a5dd8095ae6@blackwall.org>
Date: Fri, 24 May 2024 17:11:51 +0300
From: Nikolay Aleksandrov <razor@...ckwall.org>
To: Daniel Borkmann <daniel@...earbox.net>, martin.lau@...nel.org
Cc: bpf@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH bpf 2/5] netkit: Fix pkt_type override upon netkit pass
 verdict

On 5/24/24 16:01, Daniel Borkmann wrote:
> When running Cilium connectivity test suite with netkit in L2 mode, we
> found that compared to tcx a few tests were failing which pushed traffic
> into an L7 proxy sitting in host namespace. The problem in particular is
> around the invocation of eth_type_trans() in netkit.
> 
> In case of tcx, this is run before the tcx ingress is triggered inside
> host namespace and thus if the BPF program uses the bpf_skb_change_type()
> helper the newly set type is retained. However, in case of netkit, the
> late eth_type_trans() invocation overrides the earlier decision from the
> BPF program which eventually leads to the test failure.
> 
> Instead of eth_type_trans(), split out the relevant parts, meaning, reset
> of mac header and call to eth_skb_pkt_type() before the BPF program is run
> in order to have the same behavior as with tcx, and refactor a small helper
> called eth_skb_pull_mac() which is run in case it's passed up the stack
> where the mac header must be pulled. With this all connectivity tests pass.
> 
> Fixes: 35dfaad7188c ("netkit, bpf: Add bpf programmable net device")
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> ---
>  drivers/net/netkit.c        | 4 +++-
>  include/linux/etherdevice.h | 8 ++++++++
>  net/ethernet/eth.c          | 4 +---
>  3 files changed, 12 insertions(+), 4 deletions(-)
> 

Interesting find, looks good to me. :)
Acked-by: Nikolay Aleksandrov <razor@...ckwall.org>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ