lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <575bb07d-579c-4db5-8624-7446836e77bd@davidwei.uk>
Date: Mon, 9 Feb 2026 16:25:15 -0800
From: David Wei <dw@...idwei.uk>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Daniel Borkmann <daniel@...earbox.net>, netdev@...r.kernel.org,
 bpf@...r.kernel.org, davem@...emloft.net, razor@...ckwall.org,
 pabeni@...hat.com, willemb@...gle.com, sdf@...ichev.me,
 john.fastabend@...il.com, martin.lau@...nel.org, jordan@...fe.io,
 maciej.fijalkowski@...el.com, magnus.karlsson@...el.com, toke@...hat.com,
 yangzhenze@...edance.com, wangdongdong.6@...edance.com
Subject: Re: [PATCH net-next v8 15/16] selftests/net: Add env for container
 based tests

On 2026-02-02 10:41, Jakub Kicinski wrote:
> On Mon, 2 Feb 2026 07:53:34 +0900 David Wei wrote:
>> On 2026-02-01 09:38, Jakub Kicinski wrote:
>>> I'm not a Python expert but the pre-init of variables that are set
>>> later on in __init__() (on all possible paths) seems like a waste of LoC
>>
>> It's so that exceptions thrown -> __del__() don't complain about
>> undefined vars.
> 
> I see. I guess that's cleaner than hasattr(self, "xyz"), fair.
> 
>>>> +
>>>> +        ip(f"link add type netkit mode l2 forward peer forward numrxqueues {rxqueues}")
>>>
>>> Would we be able to do this with YNL?
>>> no big deal but always nice to avoid the dependency on very latest CLI
>>
>> Hmm, I tried looking into this already. My understanding is that this
>> can be done in C but not currently in YNL, not without adding a spec.
> 
> I thought the only thing C can do that Python can't is deciding nested
> extacks.. Ah, of course.. I missed that patch 10 is not updating the
> YAML spec. That needs to be fixed, we want YAML to stay in sync for the
> families that are already YAML-ized.

Sorry, my mistake. It is possible with rt-link.yaml:

   ynl = RtnlFamily()
   ynl.newlink(...)

> 
>>>> +    def _setup_ns(self):
>>>> +        self.netns = NetNS()
>>>> +        cmd("ip netns attach init 1")
>>>> +        self._init_ns_attached = True
>>>> +        ip("netns set init 0", ns=self.netns)
>>>
>>> Hm, refactor class NetNSEnter or just use its enter method?
>>
>> I did consider this but I didn't feel like it fit the very specific
>> purpose of NetNSEnter. I needed the init ns to have a valid nsid from
>> within the test netns, which I didn't think many other tests would need.
> 
> What about the "ip netns attach init 1" ?
> that's the main thing that gave me pause TBH
> Why is it needed?

The bind-queue lease attribute takes the ifindex/queue/netns-id of the
source phys netdev to lease a queue from. Once a netlink has been moved
into a netns, it doesn't have access to the source phys netdev in the
init ns anymore. This is why initially I did the bind-queue before
moving one of the netkit peers into a netns.

For me to be able to do a bind-queue op inside a netns, I use ip netns
attach to make the init ns available with a nsid inside of a netns.

> 
>>> Don't we need to also add a qdisc if there isn't one already?
>>
>> Sorry, why would qdisc be needed? The bpf prog attaches to tc. I don't
>> know anything about qdisc, though.
> 
> There's a new way of attaching qdisc-less (TCX) but IIUC here you're
> attaching in the old way. So you must have a parent object. The ingress
> / clsact qdisc isn't really for queuing packets, it's just a fake qdisc
> that lets you attach TC filters to an interface. Machines at Meta have
> a clsact qdisc installed by init, but that's far from normal (try to
> run this command in vng, you'll see)

Thanks for the explanation. I'll fix this by adding a qdisc if one
doesn't exist.

> 
>>>> +        match = re.search(r'pref (\d+).*nk_forward\.bpf.*id (\d+)', tc_info)
>>>
>>> I haven't checked but TC doesn't support enough JSON and YNL doesn't
>>> support enough TC to avoid re hacks? :( :(
>>
>> Yeah the old TC tool doesn't give me this info programmatically :(
>>
>> Borkmann mentioned TC is outdated/unmaintained. I did use tcx via a C
>> loader before, but that was removed in an earlier iteration.
> 
> Not sure what you're saying. tc bpf CLI supports JSON output since:
> 
> commit 3175bca7182b0867c6e9a3d5d1551fdecf70118c
> Author: Davide Caratti <dcaratti@...hat.com>
> Date:   Thu Apr 30 20:03:30 2020 +0200
> 
>      tc: full JSON support for 'bpf' filter

Yes this works, I'll use it instead of regex.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ