From: Liran Alon <liran.alon@oracle.com>
To: <daniel@iogearbox.net>
Cc: <netdev@vger.kernel.org>, <shmulik.ladkani@gmail.com>,
<davem@davemloft.net>, <linux-kernel@vger.kernel.org>,
<yuval.shaia@oracle.com>, <idan.brown@oracle.com>
Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns
Date: Thu, 15 Mar 2018 05:23:41 -0700 (PDT) [thread overview]
Message-ID: <be0d17cf-12d5-440c-adee-e943ccb199c9@default> (raw)
----- daniel@iogearbox.net wrote:
> On 03/15/2018 10:21 AM, Shmulik Ladkani wrote:
> > Regarding the premise of this commit, this "reduces" the
> > ipvs/orphan/mark scrubbing in the following *non* xnet situations:
> >
> > 1. mac2vlan port xmit to other macvlan ports in Bridge Mode
> > 2. similarly for ipvlan
> > 3. veth xmit
> > 4. l2tp_eth_dev_recv
> > 5. bpf redirect/clone_redirect ingress actions
> >
> > Regarding l2tp recv, this commit seems to align the srubbing
> behavior
> > with ip tunnels (full scrub only if crossing netns, see
> ip_tunnel_rcv).
> >
> > Regarding veth xmit, it does makes sense to preserve the fields if
> not
> > crossing netns. This is also the case when one uses tc mirred.
> >
> > Regarding bpf redirect, well, it depends on the expectations of each
> bpf
> > program.
> > I'd argue that preserving the fields (at least the mark field) in
> the
> > *non* xnet makes sense and provides more information and therefore
> more
> > capabilities; Alas this might change behavior already being relied
> on.
> >
> > Maybe Daniel can comment on the matter.
>
> Overall I think it might be nice to not need scrubbing skb in such
> cases,
> although my concern would be that this has potential to break
> existing
> setups when they would expect mark being zero on other veth peer in
> any
> case since it's the behavior for a long time already. The safer
> option
> would be to have some sort of explicit opt-in e.g. on link creation to
> let
> the skb->mark pass through unscrubbed. This would definitely be a
> useful
> option e.g. when mark is set in the netns facing veth via
> clsact/egress
> on xmit and when the container is unprivileged anyway.
>
> Thanks,
> Daniel
I see your point in regards to backwards comparability.
However, not scrubbing skb when it cross netns via some kernel functions compared to
others is basically a bug which could easily break with a little bit of more refactoring.
Therefore, it seems a bit weird to me to from now on, we will force
every user on link creation to consider that once there was a bug leading
to this weird behavior on specific netdevs.
Thus, I suggest to maybe control this via a global /proc/sys/net file instead.
-Liran
next reply other threads:[~2018-03-15 12:24 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-15 12:23 Liran Alon [this message]
2018-03-15 14:35 ` [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns Roman Mashak
2018-03-15 14:53 ` Daniel Borkmann
-- strict thread matches above, loose matches on Subject: below --
2018-03-15 17:14 Liran Alon
2018-03-20 16:24 ` Eric W. Biederman
2018-03-20 16:44 ` Liran Alon
2018-03-20 17:07 ` Ben Greear
2018-03-20 18:35 ` Eric W. Biederman
2018-03-15 16:35 Liran Alon
2018-03-15 16:50 ` Shmulik Ladkani
2018-03-15 15:05 Liran Alon
2018-03-15 15:01 Liran Alon
2018-03-15 16:11 ` Shmulik Ladkani
2018-03-15 12:14 Liran Alon
2018-03-13 15:07 Liran Alon
2018-03-13 16:13 ` Yuval Shaia
2018-03-14 12:03 ` Yuval Shaia
2018-03-15 9:21 ` Shmulik Ladkani
2018-03-15 11:56 ` Daniel Borkmann
2018-03-15 12:50 ` Shmulik Ladkani
2018-03-15 15:13 ` Daniel Borkmann
2018-03-15 15:54 ` Shmulik Ladkani
2018-03-15 17:48 ` Daniel Borkmann
2018-03-20 14:47 ` David Miller
2018-03-20 15:34 ` Liran Alon
2018-03-20 16:00 ` David Miller
2018-03-20 16:11 ` Liran Alon
2018-03-20 16:34 ` David Miller
2018-03-20 16:39 ` Liran Alon
2018-03-20 18:51 ` valdis.kletnieks
2018-03-20 21:12 ` Liran Alon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=be0d17cf-12d5-440c-adee-e943ccb199c9@default \
--to=liran.alon@oracle.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=idan.brown@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=shmulik.ladkani@gmail.com \
--cc=yuval.shaia@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.