Received: by 10.213.65.68 with SMTP id h4csp1623296imn;
        Thu, 15 Mar 2018 05:15:58 -0700 (PDT)
X-Google-Smtp-Source: AG47ELuIvCC6J6VZL5Xkz95MLO4adXu5zULIwTjfeK4r0ENFtZ2Iuygk0U5mMil7A70R66GFd2oX
X-Received: by 2002:a17:902:aa8e:: with SMTP id d14-v6mr7856510plr.318.1521116158306;
        Thu, 15 Mar 2018 05:15:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521116158; cv=none;
        d=google.com; s=arc-20160816;
        b=TbVUQd6XJlEt9DJ5HFXvAxUHQ50Ru65puAk/2s2C05hAIxkax65fty9v+f6mVxRulR
         +qUmQj6M/nzCuvLlL0F89iSUYuysLUwJkLrQzCEse9gRVVy+bmWmA5Fl43BAXXK+Jm6g
         d1XZVB/nkIfTXugrtWC03Q3O1xM+rS/iH3yeBRc8M+NtnMqgo357US3s5uugZSbLZ7RW
         4zGt/c5u4d3hk5IAD5FZWMvl4bQ/LKAtgcOMgQEAjZcKHEMB80Kjxwj4TGf7U/OZPsZV
         2x1m0DV1/6y/ksjzGSX2/N3DNCtPbRCW574uzHh+Vi+bQYRD5ioHis1UaDH1vxcyLRZR
         ug9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-disposition
         :content-transfer-encoding:subject:cc:to:from:date:message-id
         :mime-version:dkim-signature:arc-authentication-results;
        bh=HlMNsaztY/TSGeE3U59xSF1tL/MRRi6YufWsI2hUBvw=;
        b=Gc99RIZuJK6KFh59ZXnJhF2bBJPN8KDGxxFhDgfwGziKF/YpGmppVY4dv2jxxO9Bx8
         kx8pvN5yV97PkknvkhuwG5BdSDeGI0SNRYCkLSeZ1YuWMQZnwMJg9Pbqs9tI3ETFlMuy
         uSvURGukJUEf/LNha68OX7uRAq1ilCxdkWAzoLymZHBFO5xot/obladlRgdotRzm0dcv
         AR0Sq0kRFFh6ZShLRH+1DLia0qXb12f2rO9HI6ukk9MFkJr7QoXcpS60oeW7MMKv2GlB
         NsBnpkVhGw5xP6Vgca7evTIfZK2kEXoKUhhbR+pF3qzV+gB6juynxU3gC2KLhqTnyqb/
         29/Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ObS8Zu9C;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v2-v6si3833365plp.113.2018.03.15.05.15.43;
        Thu, 15 Mar 2018 05:15:58 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ObS8Zu9C;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751500AbeCOMOo (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Thu, 15 Mar 2018 08:14:44 -0400
Received: from userp2120.oracle.com ([156.151.31.85]:38452 "EHLO
        userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750726AbeCOMOm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Mar 2018 08:14:42 -0400
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1])
        by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w2FCBdbt134758;
        Thu, 15 Mar 2018 12:14:17 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=mime-version :
 message-id : date : from : to : cc : subject : content-type :
 content-transfer-encoding; s=corp-2017-10-26;
 bh=HlMNsaztY/TSGeE3U59xSF1tL/MRRi6YufWsI2hUBvw=;
 b=ObS8Zu9CEVOY5T2wjrIOwKPlkRkc4WYF3BvevlO5fsKOITXaQSimiZviSF6ZLeVKYZ/3
 46HTCzdiNecaSI+6qlRJIDtCyk2Qe7/BnmHUmGUDFTGTKHs8N+3qxr8rwRKI5/Tqqlkv
 b1SakfQaNIn6gvaD39+U/DJ6sGFL9CA3O2OlSwWazAcOhaFsVsH8JBVp3QSqV3mSOCHP
 A3ZDNQZObwlfZLR6kfL1L9+KaycctyCTsAtOs6agd7+SPhtluLjRkfjYsC3Iinesd2Mq
 3C5KLbSq7CPAs4eUxBOatClb1DuFPMv/nmuj/2fOCSS2OKgqnoajZBzdwRP0xb3a4oEK Iw== 
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])
        by userp2120.oracle.com with ESMTP id 2gqqjsrb8m-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Thu, 15 Mar 2018 12:14:17 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
        by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w2FCEGpM030967
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Thu, 15 Mar 2018 12:14:16 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17])
        by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w2FCEFAA025130;
        Thu, 15 Mar 2018 12:14:15 GMT
MIME-Version: 1.0
Message-ID: <cf2dee1b-6098-47aa-bb2b-f8a44db904e3@default>
Date:   Thu, 15 Mar 2018 05:14:15 -0700 (PDT)
From:   Liran Alon <liran.alon@oracle.com>
To:     <shmulik.ladkani@gmail.com>
Cc:     <netdev@vger.kernel.org>, <daniel@iogearbox.net>,
        <davem@davemloft.net>, <linux-kernel@vger.kernel.org>,
        <yuval.shaia@oracle.com>, <idan.brown@oracle.com>
Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info
 only when crossing netns
X-Mailer: Zimbra on Oracle Beehive
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8832 signatures=668690
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1711220000 definitions=main-1803150137
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


----- shmulik.ladkani@gmail.com wrote:

> Hi,
>=20
> On Tue, 13 Mar 2018 17:07:22 +0200 Liran Alon <liran.alon@oracle.com>
> wrote:
> > Before this commit, dev_forward_skb() always cleared packet's
> > per-network-namespace info. Even if the packet doesn't cross
> > network namespaces.
> >=20
> > The comment above dev_forward_skb() describes that this is done
> > because the receiving device may be in another network namespace.
> > However, this case can easily be tested for and therefore we can
> > scrub packet's per-network-namespace info only when receiving
> device
> > is indeed in another network namespace.
> >=20
> > Therefore, this commit changes ____dev_forward_skb() to tell
> > skb_scrub_packet() that skb has crossed network-namespace only in
> case
> > transmitting device (skb->dev) network namespace is different then
> > receiving device (dev) network namespace.
>=20
> Assuming the premise of this commit is correct, note it may not act
> as
> intended for xnet situation in ipvlan_process_multicast, snip:
>=20
> =09=09nskb->dev =3D ipvlan->dev;
> =09=09if (tx_pkt)
> =09=09=09ret =3D dev_forward_skb(ipvlan->dev, nskb);
> =09=09else
> =09=09=09ret =3D netif_rx(nskb);
>=20
> as 'dev' gets already assigned to nskb prior dev_forward_skb (hence
> in
> ____dev_forward_skb both dev and skb->dev are the same).
> Fortunately every ipvlan_multicast_enqueue call is preceded by a
> forced
> scrub; It would be future-proof to not assign nskb->dev in the
> dev_forward_skb case (assign it only in the netif_rx case).

I agree. Nice catch.
skb->dev will later get assigned in eth_type_trans() called from __dev_forw=
ard_skb().
I will do this small change in a separate patch before this patch.
(In v2 of this series)

>=20
>=20
> Regarding the premise of this commit, this "reduces" the
> ipvs/orphan/mark scrubbing in the following *non* xnet situations:
>=20
>  1. mac2vlan port xmit to other macvlan ports in Bridge Mode
>  2. similarly for ipvlan
>  3. veth xmit
>  4. l2tp_eth_dev_recv
>  5. bpf redirect/clone_redirect ingress actions
>=20
> Regarding l2tp recv, this commit seems to align the srubbing behavior
> with ip tunnels (full scrub only if crossing netns, see
> ip_tunnel_rcv).
>=20
> Regarding veth xmit, it does makes sense to preserve the fields if
> not
> crossing netns. This is also the case when one uses tc mirred.
>=20
> Regarding bpf redirect, well, it depends on the expectations of each
> bpf
> program.
> I'd argue that preserving the fields (at least the mark field) in the
> *non* xnet makes sense and provides more information and therefore
> more
> capabilities; Alas this might change behavior already being relied
> on.

I now noticed that a similar change was done in the past in
commit 8a83a00b0735 ("net: maintain namespace isolation
between vlan and real device"). Commit changed dev_forward_skb() from alway=
s
setting skb->mark=3D0 to do this only in case we cross netns.

However, a later commit: 59b9997baba5 ("Revert "net: maintain namespace
isolation between vlan and real device") seems to later reverted that chang=
e.
But I think that the regression issue mentioned in the revert isn't
related to the change proposed by this commit.
Please correct me if I'm missing something.

>=20
> Maybe Daniel can comment on the matter.
>=20
> Regards,
> Shmulik