From: Eugene Crosser <crosser@average.org>
To: Jan Engelhardt <jengelh@inai.de>, Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: Expose skb_gso_validate_network_len() [Was: ebtables: load-on-demand extensions]
Date: Mon, 22 Jun 2020 09:41:18 +0200 [thread overview]
Message-ID: <835ba5c8-d017-d64d-cdea-35458cd70eb0@average.org> (raw)
In-Reply-To: <nycvar.YFH.7.77.849.2006220643340.24160@n3.vanv.qr>
[-- Attachment #1.1: Type: text/plain, Size: 1206 bytes --]
On 22/06/2020 06:50, Jan Engelhardt wrote:
>> What short-circuit behaviour?
>>
>> The difference we're talking about is:
>> *reg = get_gso_segment_or_nh_len(skb);
>> vs.
>> if (!skb_is_gso(skb) || get_gso_segment_len(skb) <= priv->len))
>> regs->verdict.code = NFT_BREAK;
>
> I was under the impression the discussion had steered on
>
> *reg1 = skb_gso_size_check(skb, skb_gso_validate_network_len(skb, priv->len));
> verdict = *reg1 ? NFT_CONTINUE : NFT_BREAK;
>
> vs.
>
> *reg1 = 0;
> skb_walk_frags(skb, iter)
> *reg1 += seg_len + skb_headlen(iter);
> // and leave reg1 for the next nft op (lt/gt/feeding it to a counter/etc.)
skb_gso_size_check() has skb_walk_frags() inside. This internal skb_walk_frags()
terminates early (is "short-cirquited"?) when a non-compliant segment is
encountered.
If we want to expose the _maximum length_ of the segments, we need another
function that _also_ performs skb_walk_frags() and runs it to the end (does not
"short-circuit").
Performance-wise, this is probably not a significant penalty in most cases. But
it does require a new function that finds the maximum segment length.
Regards,
Eugene
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
prev parent reply other threads:[~2020-06-22 7:41 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 14:48 ebtables: load-on-demand extensions Eugene Crosser
2020-06-16 15:21 ` Jan Engelhardt
2020-06-16 15:54 ` Eugene Crosser
2020-06-16 16:33 ` Jan Engelhardt
2020-06-19 13:45 ` Eugene Crosser
2020-06-19 15:15 ` Pablo Neira Ayuso
2020-06-19 16:21 ` Eugene Crosser
2020-06-20 10:34 ` Expose skb_gso_validate_network_len() [Was: ebtables: load-on-demand extensions] Eugene Crosser
2020-06-20 11:04 ` Florian Westphal
2020-06-20 21:16 ` Eugene Crosser
2020-06-21 3:24 ` Florian Westphal
2020-06-21 10:03 ` Jan Engelhardt
2020-06-21 18:48 ` Eugene Crosser
2020-06-21 23:52 ` Florian Westphal
2020-06-22 4:50 ` Jan Engelhardt
2020-06-22 7:41 ` Eugene Crosser [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=835ba5c8-d017-d64d-cdea-35458cd70eb0@average.org \
--to=crosser@average.org \
--cc=fw@strlen.de \
--cc=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).