| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aKrmOtDqr_46icM1@shredder>
Date: Sun, 24 Aug 2025 13:15:22 +0300
From: Ido Schimmel <idosch@...dia.com>
To: Guillaume Nault <gnault@...hat.com>
Cc: David Miller <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Eric Dumazet <edumazet@...gle.com>,
netdev@...r.kernel.org, Simon Horman <horms@...nel.org>,
Taehee Yoo <ap420073@...il.com>,
Andrew Lunn <andrew+netdev@...n.ch>,
Saeed Mahameed <saeedm@...dia.com>,
Leon Romanovsky <leon@...nel.org>, Tariq Toukan <tariqt@...dia.com>,
Mark Bloch <mbloch@...dia.com>,
Edward Cree <ecree.xilinx@...il.com>,
Pablo Neira Ayuso <pablo@...filter.org>,
Harald Welte <laforge@...monks.org>,
David Ahern <dsahern@...nel.org>,
Steven Rostedt <rostedt@...dmis.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Martin KaFai Lau <martin.lau@...ux.dev>,
Daniel Borkmann <daniel@...earbox.net>,
John Fastabend <john.fastabend@...il.com>,
Stanislav Fomichev <sdf@...ichev.me>,
Alexei Starovoitov <ast@...nel.org>,
Andrii Nakryiko <andrii@...nel.org>,
Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>,
Yonghong Song <yonghong.song@...ux.dev>,
KP Singh <kpsingh@...nel.org>, Hao Luo <haoluo@...gle.com>,
Jiri Olsa <jolsa@...nel.org>,
Jozsef Kadlecsik <kadlec@...filter.org>,
Florian Westphal <fw@...len.de>,
Steffen Klassert <steffen.klassert@...unet.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
Xin Long <lucien.xin@...il.com>
Subject: Re: [PATCH net-next] ipv4: Convert ->flowi4_tos to dscp_t.
On Thu, Aug 21, 2025 at 04:06:57PM +0200, Guillaume Nault wrote:
> By the way, do you have an opinion about converting struct
> ip_tunnel_key::tos? Do you think it'd be worth it, or just code churn?
I'm not sure if it's even possible. For example, on Tx, some drivers
interpret ip_tunnel_key::tos being 1 as a sign that TOS should be
inherited from the encapsulated packet. See the script in [1] and its
output in [2] for example.
On Rx, drivers in collect metadata ("external") mode set this field to
the TOS from the outer header (which can have ECN bits set). The field
can later be used to match on the outer TOS using flower's "enc_tos" key
(for example). See the script in [3] and its output in [4].
[1]
#!/bin/bash
ip netns add ns1
ip -n ns1 link set dev lo up
ip -n ns1 address add 192.0.2.1/32 dev lo
ip -n ns1 link add name dummy1 up type dummy
ip -n ns1 route add default dev dummy1
ip -n ns1 link add name ipip1 up type ipip external
ip -n ns1 route add 192.0.2.0/24 dev ipip1 \
encap ip id 1234 dst 198.51.100.1 src 192.0.2.1 tos 1
ip netns exec ns1 tcpdump -i dummy1 -Q out -n -vvv -c 1 dst host 198.51.100.1 &
sleep 1
ip netns exec ns1 ping -q -Q 4 -w 1 -c 1 192.0.2.2
ip netns del ns1
[2]
# ./ipip_repo_tunkey.sh
dropped privs to tcpdump
tcpdump: listening on dummy1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
PING 192.0.2.2 (192.0.2.2) 56(84) bytes of data.
13:11:02.742405 IP (tos 0x4, ttl 64, id 64774, offset 0, flags [none], proto IPIP (4), length 104)
192.0.2.1 > 198.51.100.1: IP (tos 0x4, ttl 64, id 21845, offset 0, flags [DF], proto ICMP (1), length 84)
192.0.2.1 > 192.0.2.2: ICMP echo request, id 360, seq 1, length 64
1 packet captured
1 packet received by filter
0 packets dropped by kernel
--- 192.0.2.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
[3]
#!/bin/bash
for ns in ns1 ns2; do
ip netns add $ns
ip -n $ns link set dev lo up
done
ip -n ns1 link add name eth0 type veth peer name eth0 netns ns2
ip -n ns1 link set dev eth0 up
ip -n ns2 link set dev eth0 up
ip -n ns1 address add 192.0.2.1/32 dev lo
ip -n ns1 link add name vx0 up type \
vxlan id 10010 local 192.0.2.1 remote 192.0.2.2 dstport 4789 tos 0xff
ip -n ns1 address add 192.0.2.17/28 dev eth0
ip -n ns1 route add default via 192.0.2.18
ip -n ns2 address add 192.0.2.2/32 dev lo
ip -n ns2 link add name vx0 up type vxlan dstport 4789 external
ip -n ns2 address add 192.0.2.18/28 dev eth0
ip -n ns2 route add default via 192.0.2.17
tc -n ns2 qdisc add dev vx0 clsact
tc -n ns2 filter add dev vx0 ingress pref 1 proto all \
flower enc_src_ip 192.0.2.1 enc_dst_ip 192.0.2.2 enc_tos 0xfe \
action drop
ip netns exec ns1 mausezahn vx0 -a own -b 00:11:22:33:44:55 \
-A 198.51.100.1 -B 198.51.100.2 -t ip tos=0xff -c 1 -q
sleep 1
tc -n ns2 -s filter show dev vx0 ingress
for ns in ns1 ns2; do
ip netns del $ns
done
[4]
# ./vxlan_repo_tunkey.sh
filter protocol all pref 1 flower chain 0
filter protocol all pref 1 flower chain 0 handle 0x1
enc_dst_ip 192.0.2.2
enc_src_ip 192.0.2.1
enc_tos 254
not_in_hw
action order 1: gact action drop
random type none pass val 0
index 1 ref 1 bind 1 installed 1 sec used 1 sec firstused 1 sec
Action statistics:
Sent 20 bytes 1 pkt (dropped 1, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Powered by blists - more mailing lists