Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1197537pxu; Fri, 27 Nov 2020 01:58:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJxpk/2HXMqAQd9fU2n84zQRljuDwGa59ABBOXhwkEzwqpEM//8WBzjFzcCop3fDa7zvXvtV X-Received: by 2002:a17:906:cc4c:: with SMTP id mm12mr6559898ejb.47.1606471096984; Fri, 27 Nov 2020 01:58:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606471096; cv=none; d=google.com; s=arc-20160816; b=v/qOJdiQUXztz4V5+3l9y6k5cm7N+lPMz/XKNguL0A7sFsyrt9JJZ5JiEqlMpIpR2X IlHkANNIJipnHMe6Cq0+gGsAdl/2Jmh4yg71NIzzvoLMLoLJ/c4IbJAxnLTjZRGwpLnK KGoqyWrINUSqZ/SMeiEKlcDk3k/9bkDNcBVCRwVSl9fEe3E6mhIkcoTiZjLsASt4oJMk HiNxO2a3Fa6DvSHojAdNiON+7+pbJhlJojAcZqTBh5OMQSiMtNcNaHqIZjapP+BaGH+Z a/OkBi2P6PkszS/tOubmnBIKYUP7xJl4xnXRwNLVWrf0c+UbmtOByf7qbAXa+VC9R/W3 dIJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:to:from:date; bh=pYX06KDWOeugS7X8E6MrgH+io7p3mI6xUf++oRiYaUc=; b=INxDoMIr9jfUk6czh7cBK0DCOIR6u/IcWCytj+QclSTJHTRRMj4GW5fzhxeTtyjyQF cGszSGFvmatz4ZkRtKkJxi/l7hhhF1s2CaclGHdG7esEj9QeFARj8bmqxTSStX4HOd8R J4a3fam5tazzj5zRPqx4dxDWD92aMNp4suaCDMihetMqVxfDZpobI/OjkFEf2XJ4KPMy ZBEtxxke4uoQrbK7g0i5Twb/DMTmU+27loE0vqN77Rt6mIwA1oWFckfmSQ2qiWWy6jen FzhmzJFrcqqr3R44R3Ued7td0TbViMEv+mvbKOSy4/aNtbRxIwKI/08SOwvHdCf2fhVP bUdg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w6si4795899ejc.271.2020.11.27.01.57.48; Fri, 27 Nov 2020 01:58:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726250AbgK0JzO (ORCPT + 99 others); Fri, 27 Nov 2020 04:55:14 -0500 Received: from a.mx.secunet.com ([62.96.220.36]:36520 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725865AbgK0JzO (ORCPT ); Fri, 27 Nov 2020 04:55:14 -0500 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id BAB2F20561; Fri, 27 Nov 2020 10:55:12 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lPCOVodai2_I; Fri, 27 Nov 2020 10:55:12 +0100 (CET) Received: from mail-essen-01.secunet.de (unknown [10.53.40.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 42A312026E; Fri, 27 Nov 2020 10:55:12 +0100 (CET) Received: from mbx-essen-01.secunet.de (10.53.40.197) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.487.0; Fri, 27 Nov 2020 10:55:12 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Fri, 27 Nov 2020 10:55:11 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 6E97F31805CB; Fri, 27 Nov 2020 10:55:11 +0100 (CET) Date: Fri, 27 Nov 2020 10:55:11 +0100 From: Steffen Klassert To: Phil Sutter , , Subject: Re: XFRM interface and NF_INET_LOCAL_OUT hook Message-ID: <20201127095511.GD9390@gauss3.secunet.de> References: <20201125112342.GA11766@orbyte.nwl.cc> <20201126094021.GK8805@gauss3.secunet.de> <20201126131200.GH4647@orbyte.nwl.cc> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20201126131200.GH4647@orbyte.nwl.cc> X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Nov 26, 2020 at 02:12:00PM +0100, Phil Sutter wrote: > > > > > > Is this a bug or an expected quirk when using XFRM interface? > > > > This is expected behaviour. The xfrm interfaces are plaintext devices, > > the plaintext packets are routed to the xfrm interface which guarantees > > transformation. So the lookup that assigns skb_dst(skb)->xfrm > > happens 'behind' the interface. After transformation, > > skb_dst(skb)->xfrm will be cleared. So this assignment exists just > > inside xfrm in that case. > > OK, thanks for the clarification. > > > Does netfilter match against skb_dst(skb)->xfrm? What is the exact case > > that does not work? > > The reported use-case is a match against tunnel data in output hook: > > | table t { > | chain c { > | type filter hook output priority filter > | oifname eth0 ipsec out ip daddr 192.168.1.2 > | } > | } > > The ipsec expression tries to extract that data from skb_dst(skb)->xfrm > if present. In xt_policy (for iptables), code is equivalent. The above > works when not using xfrm_interface. Initially I assumed one just needs > to adjust the oifname match, but even dropping it doesn't help. Yes, this does not work with xfrm interfaces. As said, they are plaintext devices that guarantee transformation. Maybe you can try to match after transformation by using the secpath, but not sure if that is what you need.