Received: by 10.213.65.68 with SMTP id h4csp1629329imn; Thu, 15 Mar 2018 05:25:10 -0700 (PDT) X-Google-Smtp-Source: AG47ELt6CojWI7UBpgZ0cXlHNY+O7VUCM/vpsFv9ugvQ6eKwfHg1d65CKwROLzwmRAf2iopRiOYg X-Received: by 10.98.234.22 with SMTP id t22mr7586308pfh.56.1521116710853; Thu, 15 Mar 2018 05:25:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521116710; cv=none; d=google.com; s=arc-20160816; b=bRDrMyaL8olzj2M583YUZfhL7leNFSCDcP/odWm09Ym1Z21MdHbqosbf/xJii9EAXH W7HM1FGL2d4J75UIduqWKOk66WQe6+uu57WkKbkhV7sR7f4w3qzzlDuVrQKR3Lf4K74v GyOjtdPjcLxsPUHKZa0p9txTWGI5F5fumMgqLqJktVAPGUAizzRSZ5hL54ylavafmWs5 Nk1/WLSXnA7if6tmCb9ypKGg50M5yVSOI/qvvBfSEnZ81Y4ss3G6kfJ6QGc1cffC+sWw 3u95BoEDTwVWPoyjfzUcD5XbyfZeLOultWJScDQu2aQbbH6t6Jch0O4ZENZYjy/2ct0Z g/hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition :content-transfer-encoding:subject:cc:to:from:date:message-id :mime-version:dkim-signature:arc-authentication-results; bh=mplPggl60P2nT5UzwdLgXJQZ4+dWuTjpU0f3zOtBWxs=; b=R73GRXRKdT51cFGsuLzZMAAmhsMCqDsYGL/b2TKtWxHVNYIWaKLpng4ETL1tH3T4lo XGNKZ4dbpTS0onjzRlMhhlcyP02XQ9obLp9Y4pG13DuYy7H/4zsjlNFBDj1d2k8K9lin Y5ZSYZMCxj6hYZ5WMIGEKcpCIz3quLUdJVYBROuXKZzx677EtdQ3BgocWzMzmp5P+Hqb BiygtHOM7uC+ZdbcwuC5EBnwo91RBO6NcG0yeLbSDkNltRIiISn1FfUdFH51W/AjmKfh WaLxn1EWxO4fKeOWryr5/wEqTkYRNkySSLom/FKgcGE1XjbfmfuBg78JFft1MZGWBAmX SvPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ZiHJ8WKt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3-v6si3848318plr.440.2018.03.15.05.24.56; Thu, 15 Mar 2018 05:25:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ZiHJ8WKt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751466AbeCOMYE (ORCPT + 99 others); Thu, 15 Mar 2018 08:24:04 -0400 Received: from userp2130.oracle.com ([156.151.31.86]:46630 "EHLO userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750745AbeCOMYC (ORCPT ); Thu, 15 Mar 2018 08:24:02 -0400 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w2FCLhU3048844; Thu, 15 Mar 2018 12:23:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=mime-version : message-id : date : from : to : cc : subject : content-type : content-transfer-encoding; s=corp-2017-10-26; bh=mplPggl60P2nT5UzwdLgXJQZ4+dWuTjpU0f3zOtBWxs=; b=ZiHJ8WKtcIIYGgPgYCJlsxsxzCpcRFjlXGT9ZikJS0KUebqQHpZtvBEbF5kGGVw8ANL9 OhsPmyCnXzz7dvzMs9dpgRjAbIalNiHmmrbYJ9MEOL9znL8reBubEpEv2gMUJetBKAox 0kTuSl+cCv6UBBNcGXUXRV3KN4mPAQkUfHxP4dh7uHZUzUkqW9MBen54nC28dmpxnAXS oa/D85tN8axReo5ymdVWssbZ5XQVsnWnO2UmoXtGwmy+DDozflbJVvNM6q+cxnD/BzMg 1KCtCuQ1JR5lFXdbUGeTcgGyMn5dpTi9qRNmaWlZO+QkaF0dwI227P5ZYG4mg5M9L9n6 pQ== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2130.oracle.com with ESMTP id 2gqqt3r85x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 15 Mar 2018 12:23:42 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w2FCNfBb029854 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 15 Mar 2018 12:23:41 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w2FCNfUQ025803; Thu, 15 Mar 2018 12:23:41 GMT MIME-Version: 1.0 Message-ID: Date: Thu, 15 Mar 2018 05:23:41 -0700 (PDT) From: Liran Alon To: Cc: , , , , , Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns X-Mailer: Zimbra on Oracle Beehive Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8832 signatures=668690 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803150139 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ----- daniel@iogearbox.net wrote: > On 03/15/2018 10:21 AM, Shmulik Ladkani wrote: > > Regarding the premise of this commit, this "reduces" the > > ipvs/orphan/mark scrubbing in the following *non* xnet situations: > >=20 > > 1. mac2vlan port xmit to other macvlan ports in Bridge Mode > > 2. similarly for ipvlan > > 3. veth xmit > > 4. l2tp_eth_dev_recv > > 5. bpf redirect/clone_redirect ingress actions > >=20 > > Regarding l2tp recv, this commit seems to align the srubbing > behavior > > with ip tunnels (full scrub only if crossing netns, see > ip_tunnel_rcv). > >=20 > > Regarding veth xmit, it does makes sense to preserve the fields if > not > > crossing netns. This is also the case when one uses tc mirred. > >=20 > > Regarding bpf redirect, well, it depends on the expectations of each > bpf > > program. > > I'd argue that preserving the fields (at least the mark field) in > the > > *non* xnet makes sense and provides more information and therefore > more > > capabilities; Alas this might change behavior already being relied > on. > >=20 > > Maybe Daniel can comment on the matter. >=20 > Overall I think it might be nice to not need scrubbing skb in such > cases, > although my concern would be that this has potential to break > existing > setups when they would expect mark being zero on other veth peer in > any > case since it's the behavior for a long time already. The safer > option > would be to have some sort of explicit opt-in e.g. on link creation to > let > the skb->mark pass through unscrubbed. This would definitely be a > useful > option e.g. when mark is set in the netns facing veth via > clsact/egress > on xmit and when the container is unprivileged anyway. >=20 > Thanks, > Daniel I see your point in regards to backwards comparability. However, not scrubbing skb when it cross netns via some kernel functions co= mpared to others is basically a bug which could easily break with a little bit of mor= e refactoring. Therefore, it seems a bit weird to me to from now on, we will force every user on link creation to consider that once there was a bug leading to this weird behavior on specific netdevs. Thus, I suggest to maybe control this via a global /proc/sys/net file inste= ad. -Liran