| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aKxJEaSZ40d416sK@debian>
Date: Mon, 25 Aug 2025 13:29:21 +0200
From: Guillaume Nault <gnault@...hat.com>
To: Ido Schimmel <idosch@...dia.com>
Cc: David Miller <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Eric Dumazet <edumazet@...gle.com>,
netdev@...r.kernel.org, Simon Horman <horms@...nel.org>,
Taehee Yoo <ap420073@...il.com>,
Andrew Lunn <andrew+netdev@...n.ch>,
Saeed Mahameed <saeedm@...dia.com>,
Leon Romanovsky <leon@...nel.org>, Tariq Toukan <tariqt@...dia.com>,
Mark Bloch <mbloch@...dia.com>,
Edward Cree <ecree.xilinx@...il.com>,
Pablo Neira Ayuso <pablo@...filter.org>,
Harald Welte <laforge@...monks.org>,
David Ahern <dsahern@...nel.org>,
Steven Rostedt <rostedt@...dmis.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Martin KaFai Lau <martin.lau@...ux.dev>,
Daniel Borkmann <daniel@...earbox.net>,
John Fastabend <john.fastabend@...il.com>,
Stanislav Fomichev <sdf@...ichev.me>,
Alexei Starovoitov <ast@...nel.org>,
Andrii Nakryiko <andrii@...nel.org>,
Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>,
Yonghong Song <yonghong.song@...ux.dev>,
KP Singh <kpsingh@...nel.org>, Hao Luo <haoluo@...gle.com>,
Jiri Olsa <jolsa@...nel.org>,
Jozsef Kadlecsik <kadlec@...filter.org>,
Florian Westphal <fw@...len.de>,
Steffen Klassert <steffen.klassert@...unet.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
Xin Long <lucien.xin@...il.com>
Subject: Re: [PATCH net-next] ipv4: Convert ->flowi4_tos to dscp_t.
On Sun, Aug 24, 2025 at 01:15:22PM +0300, Ido Schimmel wrote:
> On Thu, Aug 21, 2025 at 04:06:57PM +0200, Guillaume Nault wrote:
> > By the way, do you have an opinion about converting struct
> > ip_tunnel_key::tos? Do you think it'd be worth it, or just code churn?
>
> I'm not sure if it's even possible. For example, on Tx, some drivers
> interpret ip_tunnel_key::tos being 1 as a sign that TOS should be
> inherited from the encapsulated packet. See the script in [1] and its
> output in [2] for example.
For this case, I was thinking of storing the "inherit" option in a
tunnel flag.
> On Rx, drivers in collect metadata ("external") mode set this field to
> the TOS from the outer header (which can have ECN bits set). The field
> can later be used to match on the outer TOS using flower's "enc_tos" key
> (for example). See the script in [3] and its output in [4].
This one would be a problem indeed.
I'll leave struct ip_tunnel_key alone.
> [1]
> #!/bin/bash
>
> ip netns add ns1
> ip -n ns1 link set dev lo up
> ip -n ns1 address add 192.0.2.1/32 dev lo
>
> ip -n ns1 link add name dummy1 up type dummy
> ip -n ns1 route add default dev dummy1
>
> ip -n ns1 link add name ipip1 up type ipip external
> ip -n ns1 route add 192.0.2.0/24 dev ipip1 \
> encap ip id 1234 dst 198.51.100.1 src 192.0.2.1 tos 1
>
> ip netns exec ns1 tcpdump -i dummy1 -Q out -n -vvv -c 1 dst host 198.51.100.1 &
> sleep 1
> ip netns exec ns1 ping -q -Q 4 -w 1 -c 1 192.0.2.2
>
> ip netns del ns1
>
> [2]
> # ./ipip_repo_tunkey.sh
> dropped privs to tcpdump
> tcpdump: listening on dummy1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
> PING 192.0.2.2 (192.0.2.2) 56(84) bytes of data.
> 13:11:02.742405 IP (tos 0x4, ttl 64, id 64774, offset 0, flags [none], proto IPIP (4), length 104)
> 192.0.2.1 > 198.51.100.1: IP (tos 0x4, ttl 64, id 21845, offset 0, flags [DF], proto ICMP (1), length 84)
> 192.0.2.1 > 192.0.2.2: ICMP echo request, id 360, seq 1, length 64
> 1 packet captured
> 1 packet received by filter
> 0 packets dropped by kernel
>
> --- 192.0.2.2 ping statistics ---
> 1 packets transmitted, 0 received, 100% packet loss, time 0ms
>
> [3]
> #!/bin/bash
>
> for ns in ns1 ns2; do
> ip netns add $ns
> ip -n $ns link set dev lo up
> done
>
> ip -n ns1 link add name eth0 type veth peer name eth0 netns ns2
> ip -n ns1 link set dev eth0 up
> ip -n ns2 link set dev eth0 up
>
> ip -n ns1 address add 192.0.2.1/32 dev lo
> ip -n ns1 link add name vx0 up type \
> vxlan id 10010 local 192.0.2.1 remote 192.0.2.2 dstport 4789 tos 0xff
> ip -n ns1 address add 192.0.2.17/28 dev eth0
> ip -n ns1 route add default via 192.0.2.18
>
> ip -n ns2 address add 192.0.2.2/32 dev lo
> ip -n ns2 link add name vx0 up type vxlan dstport 4789 external
> ip -n ns2 address add 192.0.2.18/28 dev eth0
> ip -n ns2 route add default via 192.0.2.17
> tc -n ns2 qdisc add dev vx0 clsact
> tc -n ns2 filter add dev vx0 ingress pref 1 proto all \
> flower enc_src_ip 192.0.2.1 enc_dst_ip 192.0.2.2 enc_tos 0xfe \
> action drop
>
> ip netns exec ns1 mausezahn vx0 -a own -b 00:11:22:33:44:55 \
> -A 198.51.100.1 -B 198.51.100.2 -t ip tos=0xff -c 1 -q
> sleep 1
> tc -n ns2 -s filter show dev vx0 ingress
>
> for ns in ns1 ns2; do
> ip netns del $ns
> done
>
> [4]
> # ./vxlan_repo_tunkey.sh
> filter protocol all pref 1 flower chain 0
> filter protocol all pref 1 flower chain 0 handle 0x1
> enc_dst_ip 192.0.2.2
> enc_src_ip 192.0.2.1
> enc_tos 254
> not_in_hw
> action order 1: gact action drop
> random type none pass val 0
> index 1 ref 1 bind 1 installed 1 sec used 1 sec firstused 1 sec
> Action statistics:
> Sent 20 bytes 1 pkt (dropped 1, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
>
Powered by blists - more mailing lists