Received: by 10.213.65.68 with SMTP id h4csp2825imn; Thu, 15 Mar 2018 07:54:18 -0700 (PDT) X-Google-Smtp-Source: AG47ELuMERvfCZtsfNhugBWMPMhBSg1PE0T9sagonYXVHWbtctZIsOi6KZifVRv4NOhruc7f/AqC X-Received: by 10.98.135.76 with SMTP id i73mr7969176pfe.140.1521125658122; Thu, 15 Mar 2018 07:54:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521125658; cv=none; d=google.com; s=arc-20160816; b=CWlDEnDk94A13FZA1sbXDRs7VibmTqaPhNbBFpnGZpviCJtzNvcymK5o9bRzi3Rrww vxCT7tlJy1ZY+vvxw66SZHrXkB4A4jNwukxWsR+hkc1y1/4qOAffMcYANyqiNZKx7eZZ kj3Jo2WeJKwWe2mTYjskvmN9Qv2W7kXOdQtC4bMv+SG4B4E9N6HwwOAJirNBy2nbwvlU JgtslrZl1JdGQ0nTbiuc8og64Rnyn/4ZQhRonUxA91eBIp9ts3PEzEC/03+MlvBt/O6m gUmfkc3S6G1Gw+YxsM23c0+7qi0qvTksgBE11UIcsug2wQCMvLUmTcYVAyr1HZAsNCfj 6ubg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=cK0TNEnPSEbopO3bGLrmCvDDqkRIA5tM3GwBSugJPOw=; b=LLmB7JnRE06kX+QUwc9GZW6nipLDu78kNc0JvpcSZlop75otLKALwj+43e6Vl1QJzc xkYLnux6B1b+ct8wRb9nJdqvEKwdAirpSqahyUtNxgkhDUstgrI9yFCqXbyUEvOh0cvm 9sXNg9lrcyFphapsoJcfuwQxu6KxQMrq7Ifvr1/XN5JcXMJ3cJuzhnjj+h9z3Zl9SziK /KRtCm/jIZVTxe9rX05JMUsEB3ZqplJOte7m2jGb3FK/gMbh8+VXpopgO7Wvf6sZ6tkk R8y68vaSVNnhHcL1X/DBAH2FxCgEUg0qlbQHeN2C4OJxaXL8Y5UIiR0kUe0KOJPrsAMz oDCA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f31-v6si4098208plb.636.2018.03.15.07.54.03; Thu, 15 Mar 2018 07:54:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752659AbeCOOxO (ORCPT + 99 others); Thu, 15 Mar 2018 10:53:14 -0400 Received: from www62.your-server.de ([213.133.104.62]:46131 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752293AbeCOOxM (ORCPT ); Thu, 15 Mar 2018 10:53:12 -0400 Received: from [62.202.221.10] (helo=linux.home) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.85_2) (envelope-from ) id 1ewUFh-0003vn-8Y; Thu, 15 Mar 2018 15:53:09 +0100 Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns To: Roman Mashak , Liran Alon Cc: netdev@vger.kernel.org, shmulik.ladkani@gmail.com, davem@davemloft.net, linux-kernel@vger.kernel.org, yuval.shaia@oracle.com, idan.brown@oracle.com References: <85woydh0e9.fsf@mojatatu.com> From: Daniel Borkmann Message-ID: Date: Thu, 15 Mar 2018 15:53:08 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <85woydh0e9.fsf@mojatatu.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.99.3/24395/Thu Mar 15 09:14:06 2018) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/15/2018 03:35 PM, Roman Mashak wrote: > Liran Alon writes: > [...] >>> Overall I think it might be nice to not need scrubbing skb in such >>> cases, >>> although my concern would be that this has potential to break >>> existing >>> setups when they would expect mark being zero on other veth peer in >>> any >>> case since it's the behavior for a long time already. The safer >>> option >>> would be to have some sort of explicit opt-in e.g. on link creation to >>> let >>> the skb->mark pass through unscrubbed. This would definitely be a >>> useful >>> option e.g. when mark is set in the netns facing veth via >>> clsact/egress >>> on xmit and when the container is unprivileged anyway. >>> >>> Thanks, >>> Daniel >> >> I see your point in regards to backwards comparability. >> However, not scrubbing skb when it cross netns via some kernel functions compared to >> others is basically a bug which could easily break with a little bit of more refactoring. >> Therefore, it seems a bit weird to me to from now on, we will force >> every user on link creation to consider that once there was a bug leading >> to this weird behavior on specific netdevs. Why bug specifically? It could well be that for some unpriv containers it would be fine to do e.g. in cases where orchestrator sets up clsact/ egress on veth/ipvlan/etc in the container to set the mark and where app cannot mess with this while for others you need to act out of host facing veth; thus, explicit opt-in per dev could provide such more fine grained control. > One valid use case could be preserving a source namespace nsid in > skb->mark when a packet crosses netns. Right, was thinking about something similar.