Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2273715pxu; Mon, 7 Dec 2020 02:07:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJynwfm9BmxPP4S2ZQJNXcuADRiqZ8GYqCV8a4A7pK75v/TtcqRIUt9CLa4EzDyKH0UIaAB1 X-Received: by 2002:a17:906:ce3c:: with SMTP id sd28mr17961882ejb.485.1607335619917; Mon, 07 Dec 2020 02:06:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607335619; cv=none; d=google.com; s=arc-20160816; b=X2IY6oVET7lSlc+kq3XpjjS+sNxH7Xq0tJNX5LOp21MF+J+zpIVLwGN0hCEZB7GIVl iTdLJNRBODjkR9c9jaJqc87RdKU8Etj+otEEOf18K86l8k9AIG1PPiOAE7McePIzFI2q eRLCHFEnWAP8Qyw4VEvYiOO5hKYRpCPfbm18uKYyNG7vCTEmQiAopUwEEHUjPrJ9Q+UM zmLCl2kEOvqTCKkYkLOnfeV/Jv3LMyQ7M52rwpCD+5FZwMlc6t14+c8soJaVs1SVGIKo hIKDsItEQnVOmvkKH0myyOGhOQdUtKnmL1370eQPslVJLpxu0MpQkUdkWaNN7MiEikV0 2New== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:to:from:date; bh=8KqXojHB4x0O8DCVeeCS90ZKbjB88huySnQg1l4GteA=; b=OhKZI/BTqxh0BKPb+aBQZk8Mjd8V21AFgPsu59Z2PjYSz2n4L1SsJsRVcD9V5Skhc4 9E8mqsUhX3o8ScLc0wyZgBL0ltVK5/YT8ph7jDFnC5g8pEb8fzQkQtv9euFZlkqxz0SY QahBLXyeX7HMIdJ0pFN85vth/byXGZM8wUkr05AumzirWBzpG5qukXt6C7x8ozn/lv+I buj8Kwo4lgvjFMAlISYJ0V4DUtZ+JBYCNcKg3oCY5I2mnGDMoeOCB4QhA1kXFFIOO6Q0 bbfjDtoT0UetxsM2JB25qnHms+qlRA0r6bKzbKmLV2ZpB5UQgCSPlR6VMVbPDO35Bzqz dO8g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z41si8078246ede.411.2020.12.07.02.06.28; Mon, 07 Dec 2020 02:06:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726207AbgLGKGK (ORCPT + 99 others); Mon, 7 Dec 2020 05:06:10 -0500 Received: from a.mx.secunet.com ([62.96.220.36]:50004 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726023AbgLGKGJ (ORCPT ); Mon, 7 Dec 2020 05:06:09 -0500 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 055D820270; Mon, 7 Dec 2020 11:05:28 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJ-Ol7voqbH2; Mon, 7 Dec 2020 11:05:27 +0100 (CET) Received: from mail-essen-01.secunet.de (unknown [10.53.40.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 85987201E5; Mon, 7 Dec 2020 11:05:27 +0100 (CET) Received: from mbx-essen-01.secunet.de (10.53.40.197) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.487.0; Mon, 7 Dec 2020 11:05:27 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Mon, 7 Dec 2020 11:05:26 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 4A269318085B; Wed, 2 Dec 2020 14:18:47 +0100 (CET) Date: Wed, 2 Dec 2020 14:18:47 +0100 From: Steffen Klassert To: Phil Sutter , , Subject: Re: XFRM interface and NF_INET_LOCAL_OUT hook Message-ID: <20201202131847.GB85961@gauss3.secunet.de> References: <20201125112342.GA11766@orbyte.nwl.cc> <20201126094021.GK8805@gauss3.secunet.de> <20201126131200.GH4647@orbyte.nwl.cc> <20201127095511.GD9390@gauss3.secunet.de> <20201127141048.GL4647@orbyte.nwl.cc> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20201127141048.GL4647@orbyte.nwl.cc> X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Fri, Nov 27, 2020 at 03:10:48PM +0100, Phil Sutter wrote: > On Fri, Nov 27, 2020 at 10:55:11AM +0100, Steffen Klassert wrote: > > On Thu, Nov 26, 2020 at 02:12:00PM +0100, Phil Sutter wrote: > > > > > > > > > > Is this a bug or an expected quirk when using XFRM interface? > > > > > > > > This is expected behaviour. The xfrm interfaces are plaintext devices, > > > > the plaintext packets are routed to the xfrm interface which guarantees > > > > transformation. So the lookup that assigns skb_dst(skb)->xfrm > > > > happens 'behind' the interface. After transformation, > > > > skb_dst(skb)->xfrm will be cleared. So this assignment exists just > > > > inside xfrm in that case. > > > > > > OK, thanks for the clarification. > > > > > > > Does netfilter match against skb_dst(skb)->xfrm? What is the exact case > > > > that does not work? > > > > > > The reported use-case is a match against tunnel data in output hook: > > > > > > | table t { > > > | chain c { > > > | type filter hook output priority filter > > > | oifname eth0 ipsec out ip daddr 192.168.1.2 > > > | } > > > | } > > > > > > The ipsec expression tries to extract that data from skb_dst(skb)->xfrm > > > if present. In xt_policy (for iptables), code is equivalent. The above > > > works when not using xfrm_interface. Initially I assumed one just needs > > > to adjust the oifname match, but even dropping it doesn't help. > > > > Yes, this does not work with xfrm interfaces. As said, they are plaintext > > devices that guarantee transformation. > > > > Maybe you can try to match after transformation by using the secpath, > > but not sure if that is what you need. > > Secpath is used for input only, no? Yes, apparently :-/ There are cases where we have a secpath for output, but you can't rely on it. > I played a bit more with xfrm_interface and noticed that when used, > NF_INET_LOCAL_OUT hook sees the packet (an ICMP reply) only once instead > of twice as without xfrm_interface. I don't think using it should change > behaviour that much apart from packets without matching policy being > dropped. What do you think about the following fix? I checked forwarding > packets as well and it looks like behaviour is identical to plain > policy: > > diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c > index aa4cdcf69d471..24af61c95b4d4 100644 > --- a/net/xfrm/xfrm_interface.c > +++ b/net/xfrm/xfrm_interface.c > @@ -317,7 +317,8 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) > skb_dst_set(skb, dst); > skb->dev = tdev; > > - err = dst_output(xi->net, skb->sk, skb); > + err = NF_HOOK(skb_dst(skb)->ops->family, NF_INET_LOCAL_OUT, xi->net, > + skb->sk, skb, NULL, skb_dst(skb)->dev, dst_output); > if (net_xmit_eval(err) == 0) { > struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats); I don't mind that change, but we have to be carefull on namespace transition. xi->net is the namespace 'behind' the xfrm interface. I guess this is the namespace where you want to do the match because that is the namespace that has the policies and states for the xfrm interface. So I think that change is correct, I just wanted to point that out explicitely.