From: Eyal Birger <eyal.birger@gmail.com>
To: Benedict Wong <benedictwong@google.com>
Cc: netdev@vger.kernel.org, steffen.klassert@secunet.com,
tobias@strongswan.org, lorenzo@google.com, nharold@google.com,
maze@google.com
Subject: Re: [PATCH ipsec, resend 1/1] xfrm: Make set-mark default behavior backward compatible
Date: Tue, 15 Jan 2019 07:11:33 +0200 [thread overview]
Message-ID: <20190115071133.768075a4@jimi> (raw)
In-Reply-To: <20190114192438.198153-2-benedictwong@google.com>
Hi Benedict,
On Mon, 14 Jan 2019 11:24:38 -0800
Benedict Wong <benedictwong@google.com> wrote:
> Fixes 9b42c1f179a6, which changed the default route lookup behavior
> for tunnel mode SAs in the outbound direction to use the skb mark,
> whereas previously mark=0 was used if the output mark was
> unspecified. In mark-based routing schemes such as Android’s, this
> change in default behavior causes routing loops or lookup failures.
>
> This patch restores the default behavior of using a 0 mark while still
> incorporating the skb mark if the SET_MARK (and SET_MARK_MASK) is
> specified.
It's a little sad that we didn't distinguish between 'no-mark-provided'
and 'mark = mask = 0'. IIUC before this fix, explicitly setting mark,
mask to a) mark = 0, mask = 0xffffffff and b) mark = 0, mask = 0 behaved
differently, whereas after this fix they will act the same.
But as it seems there was never support for the (b) scenario and commit
9b42c1f179a6 broke the existing behavior, so I'm ok with this fix.
Thanks!
Eyal.
>
> Tested with additions to Android's kernel unit test suite:
> https://android-review.googlesource.com/c/kernel/tests/+/860150
>
> Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input
> direction and masking") Signed-off-by: Benedict Wong
> <benedictwong@google.com> ---
> net/xfrm/xfrm_policy.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> index 934492bad8e0..5f574ede1332 100644
> --- a/net/xfrm/xfrm_policy.c
> +++ b/net/xfrm/xfrm_policy.c
> @@ -2600,7 +2600,10 @@ static struct dst_entry
> *xfrm_bundle_create(struct xfrm_policy *policy,
> dst_copy_metrics(dst1, dst);
> if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
> - __u32 mark = xfrm_smark_get(fl->flowi_mark,
> xfrm[i]);
> + __u32 mark = 0;
> +
> + if (xfrm[i]->props.smark.v ||
> xfrm[i]->props.smark.m)
> + mark =
> xfrm_smark_get(fl->flowi_mark, xfrm[i]);
> family = xfrm[i]->props.family;
> dst = xfrm_dst_lookup(xfrm[i], tos,
> fl->flowi_oif,
next prev parent reply other threads:[~2019-01-15 5:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-14 19:24 [PATCH ipsec, resend 0/1] xfrm: set-mark default behavior changes Benedict Wong
2019-01-14 19:24 ` [PATCH ipsec, resend 1/1] xfrm: Make set-mark default behavior backward compatible Benedict Wong
2019-01-15 5:11 ` Eyal Birger [this message]
2019-01-15 19:05 ` Benedict Wong
2019-01-17 11:30 ` Steffen Klassert
-- strict thread matches above, loose matches on Subject: below --
2019-01-11 20:14 [PATCH ipsec, resend 0/1] xfrm: set-mark default behavior changes Benedict Wong
2019-01-11 20:14 ` [PATCH ipsec, resend 1/1] xfrm: Make set-mark default behavior backward compatible Benedict Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190115071133.768075a4@jimi \
--to=eyal.birger@gmail.com \
--cc=benedictwong@google.com \
--cc=lorenzo@google.com \
--cc=maze@google.com \
--cc=netdev@vger.kernel.org \
--cc=nharold@google.com \
--cc=steffen.klassert@secunet.com \
--cc=tobias@strongswan.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).