[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <66ab8b9ef3d74_2441da2947d@willemb.c.googlers.com.notmuch>
Date: Thu, 01 Aug 2024 09:20:30 -0400
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Tom Herbert <tom@...bertland.com>,
davem@...emloft.net,
kuba@...nel.org,
edumazet@...gle.com,
netdev@...r.kernel.org,
felipe@...anda.io
Cc: Tom Herbert <tom@...bertland.com>
Subject: Re: [PATCH 00/12] flow_dissector: Dissect UDP encapsulation protocols
Tom Herbert wrote:
> Add support in flow_dissector for dissecting into UDP
> encapsulations like VXLAN. __skb_flow_dissect_udp is called for
> IPPROTO_UDP. The flag FLOW_DISSECTOR_F_PARSE_UDP_ENCAPS enables parsing
> of UDP encapsulations. If the flag is set when parsing a UDP packet then
> a socket lookup is performed. The offset of the base network header,
> either an IPv4 or IPv6 header, is tracked and passed to
> __skb_flow_dissect_udp so that it can perform the socket lookup.
> If a socket is found and it's for a UDP encapsulation (encap_type is
> set in the UDP socket) then a switch is performed on the encap_type
> value (cases are UDP_ENCAP_* values)
The main concern with the flow dissector is that its execution depends
on untrusted packets.
For this reason we added the BPF dissector for new protocols. What is
the reason to prefer adding more C code?
And somewhat academic, but: would it be different if the BPF would
ship with the kernel and autoload at boot, just like C modules?
A second concern is changing the defaults. I have not looked at this
closely, but if dissection today stops at the outer UDP header for
skb_get_hash, then we don't want to accidentally change this behavior.
Or if not accidental, call it out explicitly.
>
> Tested: Verified fou, gue, vxlan, and geneve are properly dissected for
> IPv4 and IPv6 cases. This includes testing ETH_P_TEB case
Manually?
Powered by blists - more mailing lists