From: Alexander Duyck <alexander.duyck@gmail.com>
To: David Miller <davem@redhat.com>, herbert@gondor.apana.org.au
Cc: alexander.h.duyck@redhat.com, netdev@vger.kernel.org,
steffen.klassert@secunet.com, tgraf@suug.ch
Subject: Re: [net PATCH] ip_vti/ip6_vti: Clear skb->mark when resetting skb->dev in receive path
Date: Fri, 15 May 2015 12:14:43 -0700 [thread overview]
Message-ID: <555645A3.6010509@gmail.com> (raw)
In-Reply-To: <20150515.123726.1298734930500737780.davem@redhat.com>
On 05/15/2015 09:37 AM, David Miller wrote:
> From: Herbert Xu <herbert@gondor.apana.org.au>
> Date: Thu, 14 May 2015 14:26:14 +0800
>
>> On Wed, May 13, 2015 at 11:14:39PM -0700, Alexander Duyck wrote:
>>> The fact is I am not all that familiar with the vti code and just
>>> started crawling through it a few days ago, but it seems like it is
>>> overwriting the skb->mark value with the i_key to determine which
>>> policy to use. The code prior to commit df3893c176e9 ("vti: Update
>>> the ipv4 side to use it's own receive hook.") was saving the old
>>> skb->mark, overwriting it, and then restoring it after a call to
>>> xfrm4_policy_check. After that commit it was letting
>>> skb_scrub_packet in vti_rcv_cb clear the mark and it was just
>>> dropped.
>> Steffen, why is vti touching skb->mark at all? This is supposed
>> to be a field used by user-space to control a packet as it moves
>> inside the kernel. Seconding it for other purposes looks very
>> wrong.
> If anything, the skb_scrub_packet() call right above the skb->mark
> clears should be taking care of this.
That only applies if you are crossing namespaces which we are not in
this case.
> The only case where mark should be cleared is if we are changing
> namespaces, and that's exactly the policy implemented by
> skb_scrub_packet() currently.
Right. The problem is it looks like vti and vti6 are using the mark to
signal to the policy that is meant to be used for either end of the
tunnel. From what I can tell at some point there was a pre-routing hook
that was used but later it was replaced with the i_key for input, and
o_key for output.
> Yeah, this mark handling via tunnel->parms.o_key looks not so good.
So is there any recommendations for an alternative to make it so that
the ipsec endpoint is identified as needing to be encrypted or
decrypted? If needed I could probably take a day or two to try and
address it as I still have a few other minor things I want to try and
fix such as the MTU configuration for vti/vti6.
- Alex
next prev parent reply other threads:[~2015-05-15 19:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-14 2:04 [net PATCH] ip_vti/ip6_vti: Clear skb->mark when resetting skb->dev in receive path Alexander Duyck
2015-05-14 3:28 ` Herbert Xu
2015-05-14 6:14 ` Alexander Duyck
2015-05-14 6:26 ` Herbert Xu
2015-05-15 16:37 ` David Miller
2015-05-15 19:14 ` Alexander Duyck [this message]
2015-05-16 12:34 ` Herbert Xu
2015-05-16 21:13 ` David Miller
2015-05-18 7:04 ` Steffen Klassert
2015-05-18 8:31 ` Herbert Xu
2015-05-18 8:38 ` Steffen Klassert
2015-05-18 8:59 ` Herbert Xu
2015-05-18 10:30 ` Steffen Klassert
2015-05-18 10:33 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555645A3.6010509@gmail.com \
--to=alexander.duyck@gmail.com \
--cc=alexander.h.duyck@redhat.com \
--cc=davem@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).