From: Shmulik Ladkani <shmulik.ladkani@gmail.com>
To: Liran Alon <liran.alon@oracle.com>,
Daniel Borkmann <daniel@iogearbox.net>
Cc: davem@davemloft.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, idan.brown@oracle.com,
Yuval Shaia <yuval.shaia@oracle.com>
Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns
Date: Thu, 15 Mar 2018 11:21:49 +0200 [thread overview]
Message-ID: <20180315112150.58586758@halley> (raw)
In-Reply-To: <1520953642-8145-1-git-send-email-liran.alon@oracle.com>
Hi,
On Tue, 13 Mar 2018 17:07:22 +0200 Liran Alon <liran.alon@oracle.com> wrote:
> Before this commit, dev_forward_skb() always cleared packet's
> per-network-namespace info. Even if the packet doesn't cross
> network namespaces.
>
> The comment above dev_forward_skb() describes that this is done
> because the receiving device may be in another network namespace.
> However, this case can easily be tested for and therefore we can
> scrub packet's per-network-namespace info only when receiving device
> is indeed in another network namespace.
>
> Therefore, this commit changes ____dev_forward_skb() to tell
> skb_scrub_packet() that skb has crossed network-namespace only in case
> transmitting device (skb->dev) network namespace is different then
> receiving device (dev) network namespace.
Assuming the premise of this commit is correct, note it may not act as
intended for xnet situation in ipvlan_process_multicast, snip:
nskb->dev = ipvlan->dev;
if (tx_pkt)
ret = dev_forward_skb(ipvlan->dev, nskb);
else
ret = netif_rx(nskb);
as 'dev' gets already assigned to nskb prior dev_forward_skb (hence in
____dev_forward_skb both dev and skb->dev are the same).
Fortunately every ipvlan_multicast_enqueue call is preceded by a forced
scrub; It would be future-proof to not assign nskb->dev in the
dev_forward_skb case (assign it only in the netif_rx case).
Regarding the premise of this commit, this "reduces" the
ipvs/orphan/mark scrubbing in the following *non* xnet situations:
1. mac2vlan port xmit to other macvlan ports in Bridge Mode
2. similarly for ipvlan
3. veth xmit
4. l2tp_eth_dev_recv
5. bpf redirect/clone_redirect ingress actions
Regarding l2tp recv, this commit seems to align the srubbing behavior
with ip tunnels (full scrub only if crossing netns, see ip_tunnel_rcv).
Regarding veth xmit, it does makes sense to preserve the fields if not
crossing netns. This is also the case when one uses tc mirred.
Regarding bpf redirect, well, it depends on the expectations of each bpf
program.
I'd argue that preserving the fields (at least the mark field) in the
*non* xnet makes sense and provides more information and therefore more
capabilities; Alas this might change behavior already being relied on.
Maybe Daniel can comment on the matter.
Regards,
Shmulik
next prev parent reply other threads:[~2018-03-15 9:22 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-13 15:07 [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns Liran Alon
2018-03-13 16:13 ` Yuval Shaia
2018-03-14 12:03 ` Yuval Shaia
2018-03-15 9:21 ` Shmulik Ladkani [this message]
2018-03-15 11:56 ` Daniel Borkmann
2018-03-15 12:50 ` Shmulik Ladkani
2018-03-15 15:13 ` Daniel Borkmann
2018-03-15 15:54 ` Shmulik Ladkani
2018-03-15 17:48 ` Daniel Borkmann
2018-03-20 14:47 ` David Miller
2018-03-20 15:34 ` Liran Alon
2018-03-20 16:00 ` David Miller
2018-03-20 16:11 ` Liran Alon
2018-03-20 16:34 ` David Miller
2018-03-20 16:39 ` Liran Alon
2018-03-20 18:51 ` valdis.kletnieks
2018-03-20 21:12 ` Liran Alon
-- strict thread matches above, loose matches on Subject: below --
2018-03-15 12:14 Liran Alon
2018-03-15 12:23 Liran Alon
2018-03-15 14:35 ` Roman Mashak
2018-03-15 14:53 ` Daniel Borkmann
2018-03-15 15:01 Liran Alon
2018-03-15 16:11 ` Shmulik Ladkani
2018-03-15 15:05 Liran Alon
2018-03-15 16:35 Liran Alon
2018-03-15 16:50 ` Shmulik Ladkani
2018-03-15 17:14 Liran Alon
2018-03-20 16:24 ` Eric W. Biederman
2018-03-20 16:44 ` Liran Alon
2018-03-20 17:07 ` Ben Greear
2018-03-20 18:35 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180315112150.58586758@halley \
--to=shmulik.ladkani@gmail.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=idan.brown@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=liran.alon@oracle.com \
--cc=netdev@vger.kernel.org \
--cc=yuval.shaia@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox