1. 31 7月, 2017 2 次提交
    • J
      net sched actions: dump more than TCA_ACT_MAX_PRIO actions per batch · 90825b23
      Jamal Hadi Salim 提交于
      When you dump hundreds of thousands of actions, getting only 32 per
      dump batch even when the socket buffer and memory allocations allow
      is inefficient.
      
      With this change, the user will get as many as possibly fitting
      within the given constraints available to the kernel.
      
      The top level action TLV space is extended. An attribute
      TCA_ROOT_FLAGS is used to carry flags; flag TCA_FLAG_LARGE_DUMP_ON
      is set by the user indicating the user is capable of processing
      these large dumps. Older user space which doesnt set this flag
      doesnt get the large (than 32) batches.
      The kernel uses the TCA_ROOT_COUNT attribute to tell the user how many
      actions are put in a single batch. As such user space app knows how long
      to iterate (independent of the type of action being dumped)
      instead of hardcoded maximum of 32 thus maintaining backward compat.
      
      Some results dumping 1.5M actions below:
      first an unpatched tc which doesnt understand these features...
      
      prompt$ time -p tc actions ls action gact | grep index | wc -l
      1500000
      real 1388.43
      user 2.07
      sys 1386.79
      
      Now lets see a patched tc which sets the correct flags when requesting
      a dump:
      
      prompt$ time -p updatedtc actions ls action gact | grep index | wc -l
      1500000
      real 178.13
      user 2.02
      sys 176.96
      
      That is about 8x performance improvement for tc app which sets its
      receive buffer to about 32K.
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Reviewed-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      90825b23
    • J
      net sched actions: Use proper root attribute table for actions · df823b02
      Jamal Hadi Salim 提交于
      Bug fix for an issue which has been around for about a decade.
      We got away with it because the enumeration was larger than needed.
      
      Fixes: 7ba699c6 ("[NET_SCHED]: Convert actions from rtnetlink to new netlink API")
      Suggested-by: NJiri Pirko <jiri@mellanox.com>
      Reviewed-by: NSimon Horman <simon.horman@netronome.com>
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Reviewed-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df823b02
  2. 14 7月, 2017 1 次提交
  3. 26 5月, 2017 1 次提交
  4. 18 5月, 2017 2 次提交
  5. 03 5月, 2017 1 次提交
  6. 25 4月, 2017 1 次提交
    • J
      net sched actions: Complete the JUMPX opcode · e0ee84de
      Jamal Hadi Salim 提交于
      per discussion at netconf/netdev:
      When we have an action that is capable of branching (example a policer),
      we can achieve a continuation of the action graph by programming a
      "continue" where we find an exact replica of the same filter rule with a lower
      priority and the remainder of the action graph. When you have 100s of thousands
      of filters which require such a feature it gets very inefficient to do two
      lookups.
      
      This patch completes a leftover feature of action codes. Its time has come.
      
      Example below where a user labels packets with a different skbmark on ingress
      of a port depending on whether they have/not exceeded the configured rate.
      This mark is then used to make further decisions on some egress port.
      
       #rate control, very low so we can easily see the effect
      sudo $TC actions add action police rate 1kbit burst 90k \
      conform-exceed pipe/jump 2 index 10
       # skbedit index 11 will be used if the user conforms
      sudo $TC actions add action skbedit mark 11 ok index 11
       # skbedit index 12 will be used if the user does not conform
      sudo $TC actions add action skbedit mark 12 ok index 12
      
       #lets bind the user ..
      sudo $TC filter add dev $ETH parent ffff: protocol ip prio 8 u32 \
      match ip dst 127.0.0.8/32 flowid 1:10 \
      action police index 10 \
      action skbedit index 11 \
      action skbedit index 12
      
       #run a ping -f and see what happens..
       #
      jhs@foobar:~$ sudo $TC -s filter ls dev $ETH parent ffff: protocol ip
      filter pref 8 u32
      filter pref 8 u32 fh 800: ht divisor 1
      filter pref 8 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10  (rule hit 2800 success 1005)
        match 7f000008/ffffffff at 16 (success 1005 )
      	action order 1:  police 0xa rate 1Kbit burst 23440b mtu 2Kb action pipe/jump 2 overhead 0b
      	ref 2 bind 1 installed 207 sec used 122 sec
      	Action statistics:
      	Sent 84420 bytes 1005 pkt (dropped 0, overlimits 721 requeues 0)
      	backlog 0b 0p requeues 0
      
      	action order 2:  skbedit mark 11 pass
      	 index 11 ref 2 bind 1 installed 204 sec used 122 sec
       	Action statistics:
      	Sent 60564 bytes 721 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      	action order 3:  skbedit mark 12 pass
      	 index 12 ref 2 bind 1 installed 201 sec used 122 sec
       	Action statistics:
      	Sent 23856 bytes 284 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      Not bad, about 28% non-conforming packets..
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e0ee84de
  7. 21 4月, 2017 1 次提交
    • W
      net sched actions: allocate act cookie early · e0535ce5
      Wolfgang Bumiller 提交于
      Policing filters do not use the TCA_ACT_* enum and the tb[]
      nlattr array in tcf_action_init_1() doesn't get filled for
      them so we should not try to look for a TCA_ACT_COOKIE
      attribute in the then uninitialized array.
      The error handling in cookie allocation then calls
      tcf_hash_release() leading to invalid memory access later
      on.
      Additionally, if cookie allocation fails after an already
      existing non-policing filter has successfully been changed,
      tcf_action_release() should not be called, also we would
      have to roll back the changes in the error handling, so
      instead we now allocate the cookie early and assign it on
      success at the end.
      
      CVE-2017-7979
      Fixes: 1045ba77 ("net sched actions: Add support for user cookies")
      Signed-off-by: NWolfgang Bumiller <w.bumiller@proxmox.com>
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e0535ce5
  8. 18 4月, 2017 1 次提交
  9. 14 4月, 2017 1 次提交
  10. 27 2月, 2017 2 次提交
    • R
      net sched actions: do not overwrite status of action creation. · 37f1c63e
      Roman Mashak 提交于
      nla_memdup_cookie was overwriting err value, declared at function
      scope and earlier initialized with result of ->init(). At success
      nla_memdup_cookie() returns 0, and thus module refcnt decremented,
      although the action was installed.
      
      $ sudo tc actions add action pass index 1 cookie 1234
      $ sudo tc actions ls action gact
      
              action order 0: gact action pass
               random type none pass val 0
               index 1 ref 1 bind 0
      $
      $ lsmod
      Module                  Size  Used by
      act_gact               16384  0
      ...
      $
      $ sudo rmmod act_gact
      [   52.310283] ------------[ cut here ]------------
      [   52.312551] WARNING: CPU: 1 PID: 455 at kernel/module.c:1113
      module_put+0x99/0xa0
      [   52.316278] Modules linked in: act_gact(-) crct10dif_pclmul crc32_pclmul
      ghash_clmulni_intel psmouse pcbc evbug aesni_intel aes_x86_64 crypto_simd
      serio_raw glue_helper pcspkr cryptd
      [   52.322285] CPU: 1 PID: 455 Comm: rmmod Not tainted 4.10.0+ #11
      [   52.324261] Call Trace:
      [   52.325132]  dump_stack+0x63/0x87
      [   52.326236]  __warn+0xd1/0xf0
      [   52.326260]  warn_slowpath_null+0x1d/0x20
      [   52.326260]  module_put+0x99/0xa0
      [   52.326260]  tcf_hashinfo_destroy+0x7f/0x90
      [   52.326260]  gact_exit_net+0x27/0x40 [act_gact]
      [   52.326260]  ops_exit_list.isra.6+0x38/0x60
      [   52.326260]  unregister_pernet_operations+0x90/0xe0
      [   52.326260]  unregister_pernet_subsys+0x21/0x30
      [   52.326260]  tcf_unregister_action+0x68/0xa0
      [   52.326260]  gact_cleanup_module+0x17/0xa0f [act_gact]
      [   52.326260]  SyS_delete_module+0x1ba/0x220
      [   52.326260]  entry_SYSCALL_64_fastpath+0x1e/0xad
      [   52.326260] RIP: 0033:0x7f527ffae367
      [   52.326260] RSP: 002b:00007ffeb402a598 EFLAGS: 00000202 ORIG_RAX:
      00000000000000b0
      [   52.326260] RAX: ffffffffffffffda RBX: 0000559b069912a0 RCX: 00007f527ffae367
      [   52.326260] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000559b06991308
      [   52.326260] RBP: 0000000000000003 R08: 00007f5280264420 R09: 00007ffeb4029511
      [   52.326260] R10: 000000000000087b R11: 0000000000000202 R12: 00007ffeb4029580
      [   52.326260] R13: 0000000000000000 R14: 0000000000000000 R15: 0000559b069912a0
      [   52.354856] ---[ end trace 90d89401542b0db6 ]---
      $
      
      With the fix:
      
      $ sudo modprobe act_gact
      $ lsmod
      Module                  Size  Used by
      act_gact               16384  0
      ...
      $ sudo tc actions add action pass index 1 cookie 1234
      $ sudo tc actions ls action gact
      
              action order 0: gact action pass
               random type none pass val 0
               index 1 ref 1 bind 0
      $
      $ lsmod
      Module                  Size  Used by
      act_gact               16384  1
      ...
      $ sudo rmmod act_gact
      rmmod: ERROR: Module act_gact is in use
      $
      $ sudo /home/mrv/bin/tc actions del action gact index 1
      $ sudo rmmod act_gact
      $ lsmod
      Module                  Size  Used by
      $
      
      Fixes: 1045ba77 ("net sched actions: Add support for user cookies")
      Signed-off-by: NRoman Mashak <mrv@mojatatu.com>
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      37f1c63e
    • R
      net sched actions: decrement module reference count after table flush. · edb9d1bf
      Roman Mashak 提交于
      When tc actions are loaded as a module and no actions have been installed,
      flushing them would result in actions removed from the memory, but modules
      reference count not being decremented, so that the modules would not be
      unloaded.
      
      Following is example with GACT action:
      
      % sudo modprobe act_gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      %
      % sudo tc actions ls action gact
      %
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  1
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  2
      % sudo rmmod act_gact
      rmmod: ERROR: Module act_gact is in use
      ....
      
      After the fix:
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      %
      % sudo tc actions add action pass index 1
      % sudo tc actions add action pass index 2
      % sudo tc actions add action pass index 3
      % lsmod
      Module                  Size  Used by
      act_gact               16384  3
      %
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      %
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      % sudo rmmod act_gact
      % lsmod
      Module                  Size  Used by
      %
      
      Fixes: f97017cd ("net-sched: Fix actions flushing")
      Signed-off-by: NRoman Mashak <mrv@mojatatu.com>
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Acked-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      edb9d1bf
  11. 15 2月, 2017 1 次提交
  12. 26 1月, 2017 1 次提交
    • J
      net sched actions: Add support for user cookies · 1045ba77
      Jamal Hadi Salim 提交于
      Introduce optional 128-bit action cookie.
      Like all other cookie schemes in the networking world (eg in protocols
      like http or existing kernel fib protocol field, etc) the idea is to save
      user state that when retrieved serves as a correlator. The kernel
      _should not_ intepret it.  The user can store whatever they wish in the
      128 bits.
      
      Sample exercise(showing variable length use of cookie)
      
      .. create an accept action with cookie a1b2c3d4
      sudo $TC actions add action ok index 1 cookie a1b2c3d4
      
      .. dump all gact actions..
      sudo $TC -s actions ls action gact
      
          action order 0: gact action pass
           random type none pass val 0
           index 1 ref 1 bind 0 installed 5 sec used 5 sec
          Action statistics:
          Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
          backlog 0b 0p requeues 0
          cookie a1b2c3d4
      
      .. bind the accept action to a filter..
      sudo $TC filter add dev lo parent ffff: protocol ip prio 1 \
      u32 match ip dst 127.0.0.1/32 flowid 1:1 action gact index 1
      
      ... send some traffic..
      $ ping 127.0.0.1 -c 3
      PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
      64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.020 ms
      64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.027 ms
      64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.038 ms
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1045ba77
  13. 17 1月, 2017 1 次提交
    • J
      net sched actions: fix refcnt when GETing of action after bind · 0faa9cb5
      Jamal Hadi Salim 提交于
      Demonstrating the issue:
      
      .. add a drop action
      $sudo $TC actions add action drop index 10
      
      .. retrieve it
      $ sudo $TC -s actions get action gact index 10
      
      	action order 1: gact action drop
      	 random type none pass val 0
      	 index 10 ref 2 bind 0 installed 29 sec used 29 sec
       	Action statistics:
      	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      ... bug 1 above: reference is two.
          Reference is actually 1 but we forget to subtract 1.
      
      ... do a GET again and we see the same issue
          try a few times and nothing changes
      ~$ sudo $TC -s actions get action gact index 10
      
      	action order 1: gact action drop
      	 random type none pass val 0
      	 index 10 ref 2 bind 0 installed 31 sec used 31 sec
       	Action statistics:
      	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      ... lets try to bind the action to a filter..
      $ sudo $TC qdisc add dev lo ingress
      $ sudo $TC filter add dev lo parent ffff: protocol ip prio 1 \
        u32 match ip dst 127.0.0.1/32 flowid 1:1 action gact index 10
      
      ... and now a few GETs:
      $ sudo $TC -s actions get action gact index 10
      
      	action order 1: gact action drop
      	 random type none pass val 0
      	 index 10 ref 3 bind 1 installed 204 sec used 204 sec
       	Action statistics:
      	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      $ sudo $TC -s actions get action gact index 10
      
      	action order 1: gact action drop
      	 random type none pass val 0
      	 index 10 ref 4 bind 1 installed 206 sec used 206 sec
       	Action statistics:
      	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      $ sudo $TC -s actions get action gact index 10
      
      	action order 1: gact action drop
      	 random type none pass val 0
      	 index 10 ref 5 bind 1 installed 235 sec used 235 sec
       	Action statistics:
      	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      .... as can be observed the reference count keeps going up.
      
      After the fix
      
      $ sudo $TC actions add action drop index 10
      $ sudo $TC -s actions get action gact index 10
      
      	action order 1: gact action drop
      	 random type none pass val 0
      	 index 10 ref 1 bind 0 installed 4 sec used 4 sec
       	Action statistics:
      	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      $ sudo $TC -s actions get action gact index 10
      
      	action order 1: gact action drop
      	 random type none pass val 0
      	 index 10 ref 1 bind 0 installed 6 sec used 6 sec
       	Action statistics:
      	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      $ sudo $TC qdisc add dev lo ingress
      $ sudo $TC filter add dev lo parent ffff: protocol ip prio 1 \
        u32 match ip dst 127.0.0.1/32 flowid 1:1 action gact index 10
      
      $ sudo $TC -s actions get action gact index 10
      
      	action order 1: gact action drop
      	 random type none pass val 0
      	 index 10 ref 2 bind 1 installed 32 sec used 32 sec
       	Action statistics:
      	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      $ sudo $TC -s actions get action gact index 10
      
      	action order 1: gact action drop
      	 random type none pass val 0
      	 index 10 ref 2 bind 1 installed 33 sec used 33 sec
       	Action statistics:
      	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
      	backlog 0b 0p requeues 0
      
      Fixes: aecc5cef ("net sched actions: fix GETing actions")
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0faa9cb5
  14. 09 1月, 2017 1 次提交
    • W
      net-tc: extract skip classify bit from tc_verd · e7246e12
      Willem de Bruijn 提交于
      Packets sent by the IFB device skip subsequent tc classification.
      A single bit governs this state. Move it out of tc_verd in
      anticipation of removing that __u16 completely.
      
      The new bitfield tc_skip_classify temporarily uses one bit of a
      hole, until tc_verd is removed completely in a follow-up patch.
      
      Remove the bit hole comment. It could be 2, 3, 4 or 5 bits long.
      With that many options, little value in documenting it.
      
      Introduce a helper function to deduplicate the logic in the two
      sites that check this bit.
      
      The field tc_skip_classify is set only in IFB on skbs cloned in
      act_mirred, so original packet sources do not have to clear the
      bit when reusing packets (notably, pktgen and octeon).
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e7246e12
  15. 06 12月, 2016 1 次提交
    • E
      net_sched: gen_estimator: complete rewrite of rate estimators · 1c0d32fd
      Eric Dumazet 提交于
      1) Old code was hard to maintain, due to complex lock chains.
         (We probably will be able to remove some kfree_rcu() in callers)
      
      2) Using a single timer to update all estimators does not scale.
      
      3) Code was buggy on 32bit kernel (WRITE_ONCE() on 64bit quantity
         is not supposed to work well)
      
      In this rewrite :
      
      - I removed the RB tree that had to be scanned in
        gen_estimator_active(). qdisc dumps should be much faster.
      
      - Each estimator has its own timer.
      
      - Estimations are maintained in net_rate_estimator structure,
        instead of dirtying the qdisc. Minor, but part of the simplification.
      
      - Reading the estimator uses RCU and a seqcount to provide proper
        support for 32bit kernels.
      
      - We reduce memory need when estimators are not used, since
        we store a pointer, instead of the bytes/packets counters.
      
      - xt_rateest_mt() no longer has to grab a spinlock.
        (In the future, xt_rateest_tg() could be switched to per cpu counters)
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1c0d32fd
  16. 30 10月, 2016 1 次提交
  17. 13 10月, 2016 1 次提交
  18. 21 9月, 2016 1 次提交
    • J
      net sched actions: fix GETing actions · aecc5cef
      Jamal Hadi Salim 提交于
      With the batch changes that translated transient actions into
      a temporary list lost in the translation was the fact that
      tcf_action_destroy() will eventually delete the action from
      the permanent location if the refcount is zero.
      
      Example of what broke:
      ...add a gact action to drop
      sudo $TC actions add action drop index 10
      ...now retrieve it, looks good
      sudo $TC actions get action gact index 10
      ...retrieve it again and find it is gone!
      sudo $TC actions get action gact index 10
      
      Fixes: 22dc13c8 ("net_sched: convert tcf_exts from list to pointer array"),
      Fixes: 824a7e88 ("net_sched: remove an unnecessary list_del()")
      Fixes: f07fed82 ("net_sched: remove the leftover cleanup_a()")
      Acked-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aecc5cef
  19. 20 9月, 2016 1 次提交
  20. 18 8月, 2016 3 次提交
  21. 26 7月, 2016 2 次提交
    • W
      net_sched: get rid of struct tcf_common · ec0595cc
      WANG Cong 提交于
      After the previous patch, struct tc_action should be enough
      to represent the generic tc action, tcf_common is not necessary
      any more. This patch gets rid of it to make tc action code
      more readable.
      
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ec0595cc
    • W
      net_sched: move tc_action into tcf_common · a85a970a
      WANG Cong 提交于
      struct tc_action is confusing, currently we use it for two purposes:
      1) Pass in arguments and carry out results from helper functions
      2) A generic representation for tc actions
      
      The first one is error-prone, since we need to make sure we don't
      miss anything. This patch aims to get rid of this use, by moving
      tc_action into tcf_common, so that they are allocated together
      in hashtable and can be cast'ed easily.
      
      And together with the following patch, we could really make
      tc_action a generic representation for all tc actions and each
      type of action can inherit from it.
      
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a85a970a
  22. 16 6月, 2016 2 次提交
  23. 08 6月, 2016 3 次提交
  24. 27 4月, 2016 1 次提交
  25. 26 2月, 2016 2 次提交
  26. 27 8月, 2015 1 次提交
  27. 31 7月, 2015 1 次提交
    • D
      net: sched: fix refcount imbalance in actions · 28e6b67f
      Daniel Borkmann 提交于
      Since commit 55334a5d ("net_sched: act: refuse to remove bound action
      outside"), we end up with a wrong reference count for a tc action.
      
      Test case 1:
      
        FOO="1,6 0 0 4294967295,"
        BAR="1,6 0 0 4294967294,"
        tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 \
           action bpf bytecode "$FOO"
        tc actions show action bpf
          action order 0: bpf bytecode '1,6 0 0 4294967295' default-action pipe
          index 1 ref 1 bind 1
        tc actions replace action bpf bytecode "$BAR" index 1
        tc actions show action bpf
          action order 0: bpf bytecode '1,6 0 0 4294967294' default-action pipe
          index 1 ref 2 bind 1
        tc actions replace action bpf bytecode "$FOO" index 1
        tc actions show action bpf
          action order 0: bpf bytecode '1,6 0 0 4294967295' default-action pipe
          index 1 ref 3 bind 1
      
      Test case 2:
      
        FOO="1,6 0 0 4294967295,"
        tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 action ok
        tc actions show action gact
          action order 0: gact action pass
          random type none pass val 0
           index 1 ref 1 bind 1
        tc actions add action drop index 1
          RTNETLINK answers: File exists [...]
        tc actions show action gact
          action order 0: gact action pass
           random type none pass val 0
           index 1 ref 2 bind 1
        tc actions add action drop index 1
          RTNETLINK answers: File exists [...]
        tc actions show action gact
          action order 0: gact action pass
           random type none pass val 0
           index 1 ref 3 bind 1
      
      What happens is that in tcf_hash_check(), we check tcf_common for a given
      index and increase tcfc_refcnt and conditionally tcfc_bindcnt when we've
      found an existing action. Now there are the following cases:
      
        1) We do a late binding of an action. In that case, we leave the
           tcfc_refcnt/tcfc_bindcnt increased and are done with the ->init()
           handler. This is correctly handeled.
      
        2) We replace the given action, or we try to add one without replacing
           and find out that the action at a specific index already exists
           (thus, we go out with error in that case).
      
      In case of 2), we have to undo the reference count increase from
      tcf_hash_check() in the tcf_hash_check() function. Currently, we fail to
      do so because of the 'tcfc_bindcnt > 0' check which bails out early with
      an -EPERM error.
      
      Now, while commit 55334a5d prevents 'tc actions del action ...' on an
      already classifier-bound action to drop the reference count (which could
      then become negative, wrap around etc), this restriction only accounts for
      invocations outside a specific action's ->init() handler.
      
      One possible solution would be to add a flag thus we possibly trigger
      the -EPERM ony in situations where it is indeed relevant.
      
      After the patch, above test cases have correct reference count again.
      
      Fixes: 55334a5d ("net_sched: act: refuse to remove bound action outside")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: NCong Wang <cwang@twopensource.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      28e6b67f
  28. 09 7月, 2015 1 次提交
  29. 03 5月, 2015 1 次提交
  30. 30 9月, 2014 1 次提交