Received: by 10.213.65.68 with SMTP id h4csp1623296imn; Thu, 15 Mar 2018 05:15:58 -0700 (PDT) X-Google-Smtp-Source: AG47ELuIvCC6J6VZL5Xkz95MLO4adXu5zULIwTjfeK4r0ENFtZ2Iuygk0U5mMil7A70R66GFd2oX X-Received: by 2002:a17:902:aa8e:: with SMTP id d14-v6mr7856510plr.318.1521116158306; Thu, 15 Mar 2018 05:15:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521116158; cv=none; d=google.com; s=arc-20160816; b=TbVUQd6XJlEt9DJ5HFXvAxUHQ50Ru65puAk/2s2C05hAIxkax65fty9v+f6mVxRulR +qUmQj6M/nzCuvLlL0F89iSUYuysLUwJkLrQzCEse9gRVVy+bmWmA5Fl43BAXXK+Jm6g d1XZVB/nkIfTXugrtWC03Q3O1xM+rS/iH3yeBRc8M+NtnMqgo357US3s5uugZSbLZ7RW 4zGt/c5u4d3hk5IAD5FZWMvl4bQ/LKAtgcOMgQEAjZcKHEMB80Kjxwj4TGf7U/OZPsZV 2x1m0DV1/6y/ksjzGSX2/N3DNCtPbRCW574uzHh+Vi+bQYRD5ioHis1UaDH1vxcyLRZR ug9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition :content-transfer-encoding:subject:cc:to:from:date:message-id :mime-version:dkim-signature:arc-authentication-results; bh=HlMNsaztY/TSGeE3U59xSF1tL/MRRi6YufWsI2hUBvw=; b=Gc99RIZuJK6KFh59ZXnJhF2bBJPN8KDGxxFhDgfwGziKF/YpGmppVY4dv2jxxO9Bx8 kx8pvN5yV97PkknvkhuwG5BdSDeGI0SNRYCkLSeZ1YuWMQZnwMJg9Pbqs9tI3ETFlMuy uSvURGukJUEf/LNha68OX7uRAq1ilCxdkWAzoLymZHBFO5xot/obladlRgdotRzm0dcv AR0Sq0kRFFh6ZShLRH+1DLia0qXb12f2rO9HI6ukk9MFkJr7QoXcpS60oeW7MMKv2GlB NsBnpkVhGw5xP6Vgca7evTIfZK2kEXoKUhhbR+pF3qzV+gB6juynxU3gC2KLhqTnyqb/ 29/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ObS8Zu9C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v2-v6si3833365plp.113.2018.03.15.05.15.43; Thu, 15 Mar 2018 05:15:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ObS8Zu9C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751500AbeCOMOo (ORCPT + 99 others); Thu, 15 Mar 2018 08:14:44 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:38452 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750726AbeCOMOm (ORCPT ); Thu, 15 Mar 2018 08:14:42 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w2FCBdbt134758; Thu, 15 Mar 2018 12:14:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=mime-version : message-id : date : from : to : cc : subject : content-type : content-transfer-encoding; s=corp-2017-10-26; bh=HlMNsaztY/TSGeE3U59xSF1tL/MRRi6YufWsI2hUBvw=; b=ObS8Zu9CEVOY5T2wjrIOwKPlkRkc4WYF3BvevlO5fsKOITXaQSimiZviSF6ZLeVKYZ/3 46HTCzdiNecaSI+6qlRJIDtCyk2Qe7/BnmHUmGUDFTGTKHs8N+3qxr8rwRKI5/Tqqlkv b1SakfQaNIn6gvaD39+U/DJ6sGFL9CA3O2OlSwWazAcOhaFsVsH8JBVp3QSqV3mSOCHP A3ZDNQZObwlfZLR6kfL1L9+KaycctyCTsAtOs6agd7+SPhtluLjRkfjYsC3Iinesd2Mq 3C5KLbSq7CPAs4eUxBOatClb1DuFPMv/nmuj/2fOCSS2OKgqnoajZBzdwRP0xb3a4oEK Iw== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2120.oracle.com with ESMTP id 2gqqjsrb8m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 15 Mar 2018 12:14:17 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w2FCEGpM030967 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 15 Mar 2018 12:14:16 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w2FCEFAA025130; Thu, 15 Mar 2018 12:14:15 GMT MIME-Version: 1.0 Message-ID: Date: Thu, 15 Mar 2018 05:14:15 -0700 (PDT) From: Liran Alon To: Cc: , , , , , Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns X-Mailer: Zimbra on Oracle Beehive Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8832 signatures=668690 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803150137 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ----- shmulik.ladkani@gmail.com wrote: > Hi, >=20 > On Tue, 13 Mar 2018 17:07:22 +0200 Liran Alon > wrote: > > Before this commit, dev_forward_skb() always cleared packet's > > per-network-namespace info. Even if the packet doesn't cross > > network namespaces. > >=20 > > The comment above dev_forward_skb() describes that this is done > > because the receiving device may be in another network namespace. > > However, this case can easily be tested for and therefore we can > > scrub packet's per-network-namespace info only when receiving > device > > is indeed in another network namespace. > >=20 > > Therefore, this commit changes ____dev_forward_skb() to tell > > skb_scrub_packet() that skb has crossed network-namespace only in > case > > transmitting device (skb->dev) network namespace is different then > > receiving device (dev) network namespace. >=20 > Assuming the premise of this commit is correct, note it may not act > as > intended for xnet situation in ipvlan_process_multicast, snip: >=20 > =09=09nskb->dev =3D ipvlan->dev; > =09=09if (tx_pkt) > =09=09=09ret =3D dev_forward_skb(ipvlan->dev, nskb); > =09=09else > =09=09=09ret =3D netif_rx(nskb); >=20 > as 'dev' gets already assigned to nskb prior dev_forward_skb (hence > in > ____dev_forward_skb both dev and skb->dev are the same). > Fortunately every ipvlan_multicast_enqueue call is preceded by a > forced > scrub; It would be future-proof to not assign nskb->dev in the > dev_forward_skb case (assign it only in the netif_rx case). I agree. Nice catch. skb->dev will later get assigned in eth_type_trans() called from __dev_forw= ard_skb(). I will do this small change in a separate patch before this patch. (In v2 of this series) >=20 >=20 > Regarding the premise of this commit, this "reduces" the > ipvs/orphan/mark scrubbing in the following *non* xnet situations: >=20 > 1. mac2vlan port xmit to other macvlan ports in Bridge Mode > 2. similarly for ipvlan > 3. veth xmit > 4. l2tp_eth_dev_recv > 5. bpf redirect/clone_redirect ingress actions >=20 > Regarding l2tp recv, this commit seems to align the srubbing behavior > with ip tunnels (full scrub only if crossing netns, see > ip_tunnel_rcv). >=20 > Regarding veth xmit, it does makes sense to preserve the fields if > not > crossing netns. This is also the case when one uses tc mirred. >=20 > Regarding bpf redirect, well, it depends on the expectations of each > bpf > program. > I'd argue that preserving the fields (at least the mark field) in the > *non* xnet makes sense and provides more information and therefore > more > capabilities; Alas this might change behavior already being relied > on. I now noticed that a similar change was done in the past in commit 8a83a00b0735 ("net: maintain namespace isolation between vlan and real device"). Commit changed dev_forward_skb() from alway= s setting skb->mark=3D0 to do this only in case we cross netns. However, a later commit: 59b9997baba5 ("Revert "net: maintain namespace isolation between vlan and real device") seems to later reverted that chang= e. But I think that the regression issue mentioned in the revert isn't related to the change proposed by this commit. Please correct me if I'm missing something. >=20 > Maybe Daniel can comment on the matter. >=20 > Regards, > Shmulik