From: Eyal Birger <eyal.birger@gmail.com>
To: nicolas.dichtel@6wind.com
Cc: netdev@vger.kernel.org, davem@davemloft.net, kuba@kernel.org,
liran.alon@oracle.com, shmulik.ladkani@gmail.com,
daniel@iogearbox.net
Subject: Re: [PATCH net] dev_forward_skb: do not scrub skb mark within the same name space
Date: Fri, 25 Jun 2021 11:45:52 +0300 [thread overview]
Message-ID: <2b01ec85-216a-2785-fd1c-42c38ad30c9d@gmail.com> (raw)
In-Reply-To: <773bae50-3bd6-00bc-7cc6-f5eec510f0b8@6wind.com>
On 24/06/2021 18:26, Nicolas Dichtel wrote:
> Hi Eyal,
>
> Le 24/06/2021 à 14:16, Eyal Birger a écrit :
>> Hi Nicholas,
>>
>> On 24/06/2021 11:05, Nicolas Dichtel wrote:
>>> The goal is to keep the mark during a bpf_redirect(), like it is done for
>>> legacy encapsulation / decapsulation, when there is no x-netns.
>>> This was initially done in commit 213dd74aee76 ("skbuff: Do not scrub skb
>>> mark within the same name space").
>>>
>>> When the call to skb_scrub_packet() was added in dev_forward_skb() (commit
>>> 8b27f27797ca ("skb: allow skb_scrub_packet() to be used by tunnels")), the
>>> second argument (xnet) was set to true to force a call to skb_orphan(). At
>>> this time, the mark was always cleanned up by skb_scrub_packet(), whatever
>>> xnet value was.
>>> This call to skb_orphan() was removed later in commit
>>> 9c4c325252c5 ("skbuff: preserve sock reference when scrubbing the skb.").
>>> But this 'true' stayed here without any real reason.
>>>
>>> Let's correctly set xnet in ____dev_forward_skb(), this function has access
>>> to the previous interface and to the new interface.
>>
>> This change was suggested in the past [1] and I think one of the main concerns
>> was breaking existing callers which assume the mark would be cleared [2].
> Thank you for the pointers!
>
>>
>> Personally, I think the suggestion made in [3] adding a flag to bpf_redirect()
>> makes a lot of sense for this use case.
> I began with this approach, but actually, as I tried to explain in the commit
> log, this looks more like a bug. This function is called almost everywhere in
> the kernel (except for openvswitch and wireguard) with the xnet argument
> reflecting a netns change. In other words, the behavior is different between
> legacy encapsulation and the one made with ebpf :/
>
I agree, and was also surprised that ebpf redirection scrubs the mark in
the same ns - and only on ingress! - so I think keeping the mark should
have been the default behavior. As noted in the thread though it is not
clear whether this would break existing deployments both for ebpf and
veth pairs on the same ns.
Eyal.
next prev parent reply other threads:[~2021-06-25 8:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-24 8:05 [PATCH net] dev_forward_skb: do not scrub skb mark within the same name space Nicolas Dichtel
2021-06-24 12:16 ` Eyal Birger
2021-06-24 15:26 ` Nicolas Dichtel
2021-06-25 8:45 ` Eyal Birger [this message]
2021-06-25 14:36 ` Nicolas Dichtel
2021-06-25 18:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b01ec85-216a-2785-fd1c-42c38ad30c9d@gmail.com \
--to=eyal.birger@gmail.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=liran.alon@oracle.com \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
--cc=shmulik.ladkani@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).