On 20/06/2020 13:04, Florian Westphal wrote: >>>>>>> Why not make a patch to publicly expose the skb's data via nft_meta? >>>>>>> No more custom modules, no more userspace modifications [..] >>>>>> >>>>>> For our particular use case, we are running the skb through the kernel >>>>>> function `skb_validate_network_len()` with custom mtu size [..] >> makes sense to implement the functionality that we need within the "new" nft >> infrastructure. > > Yes, just do what Jan suggested and expost this in nft_meta.c > >> As far as I understand, the part that is missing in the existing implementation >> is exposure (in some form) of `skb_gso_validate_network_len()` function to >> user-configurable filters. > > No, nft already has "< $value" logic. > The only missing piece of the puzzle is a way to populate an nft > register with the "size per segment" value. I don't think that it works. `skb_gso_network_seglen()` gives the (same for all segments) segment length _only_ when `shinfo->gso_size != GSO_BY_FRAGS`. If we were to expose maximum segment length for skbs with `gso_size == GSO_BY_FRAGS`, we'd need a new function that basically replicates the functionality of `skb_gso_size_check()` and performs `skb_walk_frags()`, only instead of returning `false` on first violation finds and then returns the maximum encoutered value. That means we'd need to introduce a new function for the sole purpose of making the proposed check fit in the "less-equal-greater" model. And the only practical use of the feature is to check "fits-doesn't fit" anyway. It would seem logical to rather use the kernel function that already exists and already has the "fits-doesn't fit" semantic. Do you think this is a valid argument to implement a boolean predicate rather than expose an arithmetic value? Regards, Eugene >> Because the kernel does now expose the _size_ under >> which a gso skb can be segmented, but only the _boolean_ with the meaning "this >> gso skb can fit in mtu that you've specified", > > It would be best to remove "static" from skb_gso_network_seglen() and > add an EXPORT_SYMBOL_GPL for it. > > Then, extend nft_meta.c to set register content to that for gso > or the ip/ipv6 packet size for !gso. > > Then, extend nft to support something like > > nft insert rule bridge filter FORWARD \ > ip frag-off & 0x4000 != 0 \ > ip protocol tcp \ > meta nh_segment_length > 1400 \ > reject with icmp type frag-needed > > [ NB: I suck at naming, so feel free to come up > with somethng more descriptive than "nh_segment_length". > l3size? nh-len...? ] >
Attachment:
signature.asc
Description: OpenPGP digital signature
