Received: by 10.213.65.68 with SMTP id h4csp9396imn; Thu, 15 Mar 2018 08:03:37 -0700 (PDT) X-Google-Smtp-Source: AG47ELuemOkx4/rGrV9pWHSC+/sksgjj23pJM4uTGR/NSEOn8jSdufMy20iGbiViH8ZlkgOIbTuf X-Received: by 10.99.149.15 with SMTP id p15mr7068561pgd.154.1521126217165; Thu, 15 Mar 2018 08:03:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521126217; cv=none; d=google.com; s=arc-20160816; b=tgFTlOhD6dKfO6Fch2NYHhXvYRPcEB+AYT/9zRfhfcU2LJA8uPI5FyOGDO+CsJlQI+ q3D6ycB07IlWvq2OljTWIBFKRcJSU2ZDT6kzVoiAXxd1LLRX60TQydPrYDCmQ3mc5Urm Cyyh+u/KIRHb54XPgPa+UJIyqiK9icieFT2rTNg05YB4tgfg1QF6N1dtCK0s0b9K4rWq ZBrvALCrRvejcTq6KetgPGrjuyP0TbM+KFFrufBLEmrCKO0WiW3z4XU5eE+baPRnKqUP Z/s2JQ+CD6lVZNhf4S9vYAHM4r8/oSQu554ciT0Z2CwfufgW+YxIr1oQKWWbHKPmgBiq yCWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition :content-transfer-encoding:subject:cc:to:from:date:message-id :mime-version:dkim-signature:arc-authentication-results; bh=1bQ5JPiSuEpFt5/Md7mgK/e9gBHOBaHLZ+IT6tZGr84=; b=w2qgVJAL3yNXxmnd97hc7pKoC6iR3/kaphzaMvbLLfswaOJh/aPKLZe/uKRMu7yWyA DW0DZ6R69IANGglidAYWS0j8B+Vq4epw1RQ55xczxbi76WHlH+5RYbuTbf3t9gYHIJJm yeJhHVRuO/HOMdQ1XDZ+x0WoDm+uMywLXi8fq0wDVEB30aZ3H7OHeWYeiVP1w+NChfuq BLA/FubYHmEEsD7Un+Cx/poO+fI6MJLG4T8fLKG92o9kaIPxDzj2eucaiB23kFWWmISP sHDZD5girfx2jCuxMDyrl7EV+quigTrjUXBN4Q7iW2GCBiME8TQsT+aGLCe5JZ8Kc4Wc uCLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=Gxl+CSIH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f31-v6si4098208plb.636.2018.03.15.08.03.20; Thu, 15 Mar 2018 08:03:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=Gxl+CSIH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752749AbeCOPBe (ORCPT + 99 others); Thu, 15 Mar 2018 11:01:34 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:56428 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751943AbeCOPBd (ORCPT ); Thu, 15 Mar 2018 11:01:33 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w2FEucuj015330; Thu, 15 Mar 2018 15:01:05 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=mime-version : message-id : date : from : to : cc : subject : content-type : content-transfer-encoding; s=corp-2017-10-26; bh=1bQ5JPiSuEpFt5/Md7mgK/e9gBHOBaHLZ+IT6tZGr84=; b=Gxl+CSIHW0cPsZN2kDU59Cno+WsdjgE/O96AAEtybKRFq4hH3hCG35y8cZNGy/H3NbKk 1td9/XrQ3UiBj8XnXcj/17OziPXcEcnxI4HZwYeIvFejm3mxGtKyKXO5BgkfsUCj45tN jgicxkeChyWavOuqEXI27v0AYmlsKPrp81GThWkU0W8rfL8vYOCUZke4t+PBciRpwQ8y YkQ19v2QkgQsQhAEPx7uyKb4fx0ndtUmGuFtUHgLCZ5uYELD/Po32CA7QQJYDVX5fq5G j2z84jn/RvGM10FJ10Xi9bph0oVjDjuXNRMMlbQZAhH4emTvVVvVmHFaNPxMScUgz92H AQ== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2120.oracle.com with ESMTP id 2gqu0sg1ud-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 15 Mar 2018 15:01:05 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w2FF15TT029622 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 15 Mar 2018 15:01:05 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w2FF14bW002166; Thu, 15 Mar 2018 15:01:04 GMT MIME-Version: 1.0 Message-ID: <58e67195-56f6-4d01-8747-f8322a382358@default> Date: Thu, 15 Mar 2018 08:01:03 -0700 (PDT) From: Liran Alon To: Cc: , , , , , , Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns X-Mailer: Zimbra on Oracle Beehive Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8832 signatures=668690 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803150166 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ----- mrv@mojatatu.com wrote: > Liran Alon writes: >=20 >=20 > [...] >=20 > >> Overall I think it might be nice to not need scrubbing skb in such > >> cases, > >> although my concern would be that this has potential to break > >> existing > >> setups when they would expect mark being zero on other veth peer > in > >> any > >> case since it's the behavior for a long time already. The safer > >> option > >> would be to have some sort of explicit opt-in e.g. on link creation > to > >> let > >> the skb->mark pass through unscrubbed. This would definitely be a > >> useful > >> option e.g. when mark is set in the netns facing veth via > >> clsact/egress > >> on xmit and when the container is unprivileged anyway. > >>=20 > >> Thanks, > >> Daniel > > > > I see your point in regards to backwards comparability. > > However, not scrubbing skb when it cross netns via some kernel > functions compared to > > others is basically a bug which could easily break with a little bit > of more refactoring. > > Therefore, it seems a bit weird to me to from now on, we will force > > every user on link creation to consider that once there was a bug > leading > > to this weird behavior on specific netdevs. > > Thus, I suggest to maybe control this via a global /proc/sys/net > file instead. >=20 > One valid use case could be preserving a source namespace nsid in > skb->mark when a packet crosses netns. Before and after this commit, veth peers that crosses netns zero skb->mark. Therefore, what you suggest is a new feature unrelated to the issue fixed by this commit. I still think that default behavior should be to zero skb->mark only when s= kb cross netdevs in different netns. And for backwards comparability, we can consider adding a /proc/sys/net/core file to let dev_forward_skb() to alway= s scrub packet regardless if it crosses netdevs or not.