Received: by 10.213.65.68 with SMTP id h4csp102534imn; Thu, 15 Mar 2018 10:49:35 -0700 (PDT) X-Google-Smtp-Source: AG47ELsdUW46Jdk6nBa62oq2f5eESeNPyXsh9VNFO3LB1oWLIMTcbvirKkh87mgp1Ib/0h4aYUhM X-Received: by 2002:a17:902:228:: with SMTP id 37-v6mr9069103plc.141.1521136175047; Thu, 15 Mar 2018 10:49:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521136175; cv=none; d=google.com; s=arc-20160816; b=Zf8uSCm3kwJ5MEOD6GF9mEYqGSdMnZ0hyc7Ga9f09Nxpg7/B3sPq1Noei8KTIMcL1r 09rdba+xe/4KTP/H3FOIEPghgbnHg1rdSeaqRk+DqCdOZGWLmtibxGgQ4Ii4aPqYGnuq igDSkxjbTL+XRPzYHGsjFXDwrngQl8IlHrKlyeYbInFX2L6Eq6UW52bZbUrO7uEtOPef y/lXwKbpRurK5GJ+sexnCNQ94NjezLx55r4HQ1UB5PfovDo8XH1w8Yh8EEFXyWyYK/C7 OTObTupSzO2ZiCK6hJQ9oPAQtKS/4aW8+JRa4wPrZi5zkta4H/aWJYOfoZ3Ufbs8seDv 8p9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=GrG3n2psOTuCEvqIutG54kGS4pO5yLsodbGqsy03bLY=; b=BUS6Mz3oTwzGxGjAYnHeLuogR8Z0vtBgdjKnPsibP5ThmNtcHLcnPMj/s30D9oe8dr +kExZ2v1I+GgxWvCNrBnTa1rPk+IH5Xr02CTFBsAstfSl2pnLYhQRARIwnlIF23w7qS2 a2c5U93DCv5R/kWkdBPLWsiAHZOivZV2+WN0ft0K4ypsa8WmlUm14di9/+fKz+0drZv+ MPGkJWWEMlK9izGuNelCsPO3lv4FfXKa4WxlFWTL3/G03jSN3LZsMwo1i2nOwsZXsV1N oFNpuxb7hRTRST5Eg4ARvmKH4imhobmgXC1DYG+y+NqClHbgqEvRIOomdjC6E5uZSkxB jcbg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t8si3718213pgc.273.2018.03.15.10.49.20; Thu, 15 Mar 2018 10:49:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752434AbeCORsb (ORCPT + 99 others); Thu, 15 Mar 2018 13:48:31 -0400 Received: from www62.your-server.de ([213.133.104.62]:45982 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751372AbeCORsa (ORCPT ); Thu, 15 Mar 2018 13:48:30 -0400 Received: from [62.202.221.10] (helo=linux.home) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.85_2) (envelope-from ) id 1ewWzI-0002Om-Tz; Thu, 15 Mar 2018 18:48:25 +0100 Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns To: Shmulik Ladkani Cc: Liran Alon , davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, idan.brown@oracle.com, Yuval Shaia References: <1520953642-8145-1-git-send-email-liran.alon@oracle.com> <20180315112150.58586758@halley> <20180315145038.16df4fea@halley> <20180315175444.02d70f23@halley> From: Daniel Borkmann Message-ID: <9115c9d2-b788-7432-2238-9ac21f632480@iogearbox.net> Date: Thu, 15 Mar 2018 18:48:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20180315175444.02d70f23@halley> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.99.3/24396/Thu Mar 15 17:13:59 2018) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/15/2018 04:54 PM, Shmulik Ladkani wrote: > On Thu, 15 Mar 2018 16:13:39 +0100 Daniel Borkmann wrote: >> On 03/15/2018 01:50 PM, Shmulik Ladkani wrote: >>> >>> It would be beneficial to have the mark preserved when skb is injected >>> to the slave device's rx path (especially when it's on the same netns). >> >> Right, I think also here the easiest would be to have a BPF_F_PRESERVE_MARK >> flag to opt-in in general case (xnet/non-xnet) > > Sounds okay to me. > >> But lets presume for a sec you would _not_ scrub it, then how are users >> supposed to make use of this? The feature/bug may not be critical enough >> (well, otherwise it wouldn't have been like this for long time) for stable, >> so to write an app relying on it the behavior will change from kernel A to >> kernel B, where you need to end up having a full blown veth run-time test >> in order to figure it out before you can use it, not really useful either. > > Let's assume BPF_F_PRESERVE_MARK is a feature then, which is available only > in new kernels. > As said, this flag will not be honored by older kernels. > > But your "run-time test" argument is true for every new flag-bit > introduced to bpf functions, for example: > BPF_F_SEQ_NUMBER was added after other skb_set_tunnel_key flags, > Same for BPF_F_INVALIDATE_HASH (skb_store_bytes), BPF_F_MARK_ENFORCE > (l4_csum_replace) and others. > > With every flag addition, the flag mask validation in the corresponding > bpf function has been relaxed to support it. > > Why is BPF_F_PRESERVE_MARK any different from any previous flag addition? Not really different than other BPF helpers, but you can simply figure it out via BPF_PROG_TEST_RUN by calling bpf_redirect() helper on some fake ifindex and check the return value whether it's shot or redirect. This is definitely trivial to do and doesn't require any devs to set up compared to otherwise full blown setup. E.g. test_verifier uses this for the test case array it contains. Cheers, Daniel