From: Thomas Graf <tgraf@suug.ch>
To: Joe Stringer <joestringer@nicira.com>
Cc: Linux Netdev List <netdev@vger.kernel.org>,
Linux Kernel <linux-kernel@vger.kernel.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Patrick McHardy <kaber@trash.net>,
Justin Pettit <jpettit@nicira.com>,
Pravin Shelar <pshelar@nicira.com>, Andy Zhou <azhou@nicira.com>,
Jesse Gross <jesse@nicira.com>,
Florian Westphal <fwestpha@redhat.com>,
Hannes Sowa <hannes@redhat.com>
Subject: Re: [PATCH net-next 1/9] openvswitch: Scrub packet in ovs_vport_receive()
Date: Fri, 31 Jul 2015 09:38:09 +0200 [thread overview]
Message-ID: <20150731073809.GA4738@pox.localdomain> (raw)
In-Reply-To: <CANr6G5wRS1zg4oLdS5L4gM7iCS11BHb7+8uUN1fh5Oa9F4_BBw@mail.gmail.com>
On 07/30/15 at 04:16pm, Joe Stringer wrote:
> On 30 July 2015 at 11:40, Thomas Graf <tgraf@suug.ch> wrote:
> > On 07/30/15 at 11:12am, Joe Stringer wrote:
> >> Signed-off-by: Joe Stringer <joestringer@nicira.com>
> >
> > Can you write a few lines on why this is needed? I have flows which
> > use the mark to communicate with netfilter through internal ports.
>
> The problem I was seeing is when packets come from a different
> namespace on the localhost, they still have conntrack data associated.
> This doesn't make sense, so the intention is to perform nf_reset().
> However, it seems like we should actually be doing a bit more - at
> least the skb_dst_drop() and perhaps some of the other stuff in
> skb_scrub_packet().
>
> Do you want to retain the mark when transitioning between namespaces?
Since we have retained it so far I think we should keep on doing
that. I'm pretty sure there are users of it out there besides me.
As you know, it's common to have tap devices in between OVS and the
guest in OpenStack and install netfilter rules there.
As for whether we should scrub it in between namespaces. Probably yes
but it's definitely tremendously useful to be able to transfer some
metadata (mark and dst metadata) between namespaces. The default
behaviour should probably be to scrub it with a flag to keep it. If
that flag is not set and nsid of port != bridge then we scrub the mark
and other metadata.
next prev parent reply other threads:[~2015-07-31 7:38 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-30 18:12 [PATCH net-next 0/9] OVS conntrack support Joe Stringer
2015-07-30 18:12 ` [PATCH net-next 1/9] openvswitch: Scrub packet in ovs_vport_receive() Joe Stringer
2015-07-30 18:40 ` Thomas Graf
2015-07-30 23:16 ` Joe Stringer
2015-07-31 7:38 ` Thomas Graf [this message]
2015-07-31 3:43 ` Pravin Shelar
2015-07-31 14:34 ` Hannes Frederic Sowa
2015-07-31 17:51 ` Joe Stringer
2015-08-01 19:17 ` Thomas Graf
2015-08-05 4:40 ` Joe Stringer
2015-08-07 22:07 ` Jesse Gross
2015-07-30 18:12 ` [PATCH net-next 2/9] openvswitch: Serialize acts with original netlink len Joe Stringer
2015-07-30 19:35 ` Thomas Graf
2015-07-30 18:12 ` [PATCH net-next 3/9] openvswitch: Move MASKED* macros to datapath.h Joe Stringer
2015-07-30 19:36 ` Thomas Graf
2015-07-30 18:12 ` [PATCH net-next 4/9] ipv6: Export nf_ct_frag6_gather() Joe Stringer
2015-07-30 19:36 ` Thomas Graf
2015-07-30 18:12 ` [PATCH net-next 5/9] openvswitch: Add conntrack action Joe Stringer
2015-07-31 14:52 ` Hannes Frederic Sowa
2015-07-31 18:35 ` Joe Stringer
2015-07-31 15:26 ` Hannes Frederic Sowa
2015-07-31 20:14 ` Joe Stringer
2015-08-01 2:08 ` Pravin Shelar
2015-08-03 22:58 ` Joe Stringer
2015-07-30 18:12 ` [PATCH net-next 6/9] openvswitch: Allow matching on conntrack mark Joe Stringer
2015-07-30 18:12 ` [PATCH net-next 7/9] netfilter: Always export nf_connlabels_replace() Joe Stringer
2015-07-30 18:12 ` [PATCH net-next 8/9] openvswitch: Allow matching on conntrack label Joe Stringer
2015-07-31 13:20 ` Florian Westphal
2015-07-31 23:07 ` Joe Stringer
2015-07-30 18:12 ` [PATCH net-next 9/9] openvswitch: Allow attaching helpers to ct action Joe Stringer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150731073809.GA4738@pox.localdomain \
--to=tgraf@suug.ch \
--cc=azhou@nicira.com \
--cc=fwestpha@redhat.com \
--cc=hannes@redhat.com \
--cc=jesse@nicira.com \
--cc=joestringer@nicira.com \
--cc=jpettit@nicira.com \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=pshelar@nicira.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).