From mboxrd@z Thu Jan  1 00:00:00 1970
From: ebiederm@xmission.com (Eric W. Biederman)
Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns
Date: Tue, 20 Mar 2018 13:35:00 -0500
Message-ID: <87lgem38a3.fsf@xmission.com>
References: <0d84d286-9965-45cb-93c8-379ca1b2441e@default>
        <87tvta67gl.fsf@xmission.com> <5AB13A86.9010607@ORACLE.COM>
        <d031d870-27c0-3fde-7ab8-bf65f6c9d910@candelatech.com>
Mime-Version: 1.0
Content-Type: text/plain
Cc: Liran Alon <LIRAN.ALON@ORACLE.COM>, shmulik.ladkani@gmail.com,
        netdev@vger.kernel.org, mrv@mojatatu.com, daniel@iogearbox.net,
        davem@davemloft.net, linux-kernel@vger.kernel.org,
        yuval.shaia@ORACLE.COM, idan.brown@ORACLE.COM
To: Ben Greear <greearb@candelatech.com>
Return-path: <linux-kernel-owner@vger.kernel.org>
In-Reply-To: <d031d870-27c0-3fde-7ab8-bf65f6c9d910@candelatech.com> (Ben
        Greear's message of "Tue, 20 Mar 2018 10:07:47 -0700")
Sender: linux-kernel-owner@vger.kernel.org
List-Id: netdev.vger.kernel.org

Ben Greear <greearb@candelatech.com> writes:

> On 03/20/2018 09:44 AM, Liran Alon wrote:
>>
>>
>> On 20/03/18 18:24, ebiederm@xmission.com wrote:
>>>
>>> I don't believe the current behavior is a bug.
>>>
>>> I looked through the history.  Basically skb_scrub_packet
>>> started out as the scrubbing needed for crossing network
>>> namespaces.
>>>
>>> Then tunnels which needed 90% of the functionality started
>>> calling it, with the xnet flag added.  Because the tunnels
>>> needed to preserve their historic behavior.
>>>
>>> Then dev_forward_skb started calling skb_scrub_packet.
>>>
>>> A veth pair is supposed to give the same behavior as a cross-over
>>> cable plugged into two local nics.  A cross over cable won't
>>> preserve things like the skb mark.  So I don't see why anyone would
>>> expect a veth pair to preserve the mark.
>>
>> I disagree with this argument.
>>
>> I think that a skb crossing netns is what simulates a real packet
>> crossing physical computers. Following your argument, why would
>> skb->mark should be preserved when crossing netdevs on same netns via
>> routing? But this does today preserve skb->mark.
>>
>> Therefore, I do think that skb->mark should conceptually only be
>> scrubbed when crossing netns. Regardless of the netdev used to cross
>> it.
>
> It should be scrubbed in VETH as well.  That is one way to make virtual routers.  Possibly
> the newer VRF features will give another better way to do it, but you should not break
> things that used to work.
>
> Now, if you want to add a new feature that allows one to configure the kernel (or VETH) for
> a new behavior, then that might be something to consider.
>
>>> Right now I don't see the point of handling packets that don't cross
>>> network namespace boundaries specially, other than to preserve backwards
>>> compatibility.
>
> Well, backwards compat is a big deal all by itself!

Absolutely agreed.

Eric