Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp472776pxu; Thu, 26 Nov 2020 03:35:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJwaI8K2ypKVygZVtEu1IS6P17S9BEAOg50pzGFY6tDaG4ZuXjuACt7KlX11SRZRDVAJUA+o X-Received: by 2002:a05:6402:1115:: with SMTP id u21mr2115118edv.148.1606390527334; Thu, 26 Nov 2020 03:35:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606390527; cv=none; d=google.com; s=arc-20160816; b=kbVAD/5z0jzcEY7aSnMsA64IydQJTsnUKUzLyxuJsqYfwGfuRbCYtRcdBe3Abr3fPF Kv0pGPW+NeiTN7qaRPn4nJrxVaT18A7Ij/SNAsFBkabMBk2eImxKreHFPACesFbyHrHX g5Dphc1uR/+ZLthVomGUAW7lfwLbScP/zZVtatNXNOmDPv6eXO4KGjUkFysjOe2xTcSb VVvwGXrgf5yajvbF7zHXf6ecQdYskjgLwVXbZDVCEKFWGaPTumsNHs57lQdIaDBwJw/d d8XO4fVcg5/KomqObHMqp13PMDGk872zE70PEO/FIf7H4RgTn/zHjmbpj2RDG2CfNapi I81w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:to:from:date; bh=1z8+K10paGXmGF1K/9LAh2ehs3Q86NMh9EY+PXi8BeQ=; b=vKYQi4OH0XCF6wa7r+6sRo91EPd4btgN21odqxbryIytEiSH3DHvtC21b9mlJniwlQ 6BdgMO262TMKZ+NrLvY1d+dxuGQoABa5oPQb261Ca0lP3mS9ZTap21xwQmguEwGlrIQQ h09+aL/8vMW5h5Jrbq5cRcwsxjoK6QaQ9RRG4xSah6+Kzvo9VNIV0IvioGX+g1d+DCx2 ic01MKvamKGPoOKJTfWs4wx6slfZ12ZwsoDyt+zWo7o4AkTnJMx5BMAy23Vg61FdEM7K qHmaUD+bgo6jU9L4SqGwzgyD71Yq+8bdLlozzl6SJWrPXtLmPFxrqZMKN+UvHicEhjPQ ONZw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v11si143079edt.532.2020.11.26.03.34.53; Thu, 26 Nov 2020 03:35:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733192AbgKZJkZ (ORCPT + 99 others); Thu, 26 Nov 2020 04:40:25 -0500 Received: from a.mx.secunet.com ([62.96.220.36]:42868 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733102AbgKZJkZ (ORCPT ); Thu, 26 Nov 2020 04:40:25 -0500 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id A75A7204EF; Thu, 26 Nov 2020 10:40:23 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bG_lvu7VLkd6; Thu, 26 Nov 2020 10:40:23 +0100 (CET) Received: from mail-essen-02.secunet.de (unknown [10.53.40.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 34E32204B4; Thu, 26 Nov 2020 10:40:23 +0100 (CET) Received: from mbx-essen-01.secunet.de (10.53.40.197) by mail-essen-02.secunet.de (10.53.40.205) with Microsoft SMTP Server (TLS) id 14.3.487.0; Thu, 26 Nov 2020 10:40:22 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Thu, 26 Nov 2020 10:40:22 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id E21C731804CE; Thu, 26 Nov 2020 10:40:21 +0100 (CET) Date: Thu, 26 Nov 2020 10:40:21 +0100 From: Steffen Klassert To: Phil Sutter , , Subject: Re: XFRM interface and NF_INET_LOCAL_OUT hook Message-ID: <20201126094021.GK8805@gauss3.secunet.de> References: <20201125112342.GA11766@orbyte.nwl.cc> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20201125112342.GA11766@orbyte.nwl.cc> User-Agent: Mutt/1.9.4 (2018-02-28) X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Phil, On Wed, Nov 25, 2020 at 12:23:42PM +0100, Phil Sutter wrote: > Hi Steffen, > > I am working on a ticket complaining about netfilter policy match > missing packets in OUTPUT chain if XFRM interface is being used. > > I don't fully overlook the relevant code path, but it seems like > skb_dest(skb)->xfrm is not yet assigned when the skb is routed towards > XFRM interface and already cleared again (by xfrm_output_one?) before it > makes its way towards the real output interface. NF_INET_POST_ROUTING > hook works though. > > Is this a bug or an expected quirk when using XFRM interface? This is expected behaviour. The xfrm interfaces are plaintext devices, the plaintext packets are routed to the xfrm interface which guarantees transformation. So the lookup that assigns skb_dst(skb)->xfrm happens 'behind' the interface. After transformation, skb_dst(skb)->xfrm will be cleared. So this assignment exists just inside xfrm in that case. Does netfilter match against skb_dst(skb)->xfrm? What is the exact case that does not work?