Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2353647pxu; Mon, 7 Dec 2020 04:37:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJzrKBcTUQSbYwVAo5ojlc3hdbE1I2Xsubsfw6NKobsJABTFQLvM1GVLvguEn/8KCyF7slzH X-Received: by 2002:a50:ec18:: with SMTP id g24mr15564516edr.6.1607344679185; Mon, 07 Dec 2020 04:37:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607344679; cv=none; d=google.com; s=arc-20160816; b=0h/9hIGAEDTfovF1JpIlj30wanjAJi1voEUbn8jKIRliML+Y4zH92pKY51Gq+bAStV 9UJze/z9xcdLr/e2dcvuxAg9vQNVjTXLmV5FivYVX3h1rSoDFjKalsIVYvW/CAxOgWS2 GtxzkCeklHrzEcx093VVq0Vjv0XowC/VtQ1U3rfwZUIXhAJAANd1AoiShtW6NmF+cLCf 4XYZg1iUatGeGd3qPigs6uilwpJKv7Pl66YhE4KJbZyLYW/TqsDN0Gfyc1THKZrM3mBr AZZ6j2rDe1V3uTFUm9dXLXpEadxXd/B8cXT9Vr/LRPEbaH5qNp3ifIg7q2sQ5250ntyG eE/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:mail-followup-to:message-id:subject:cc:to :from:date; bh=u/z1PLCIhhMaKJEFqKtIsOzHOYzhkWj/ypAX/Xs9Nzg=; b=Mojb8QWNHpO8hMzCRYUMlHMzgMxsn8I5P8b+D4pymZNSOUZH4v3ncLX7ckLWDBUYFI LweUNo9Ph7OtxnhdTzM5REcgQ+5HuQfiY7DyFWsqifKGLQS4FKYZ8Ab5YTPBe2AUWavr tHEdKe9dpEEiDE1uOXE62op6KBEdUe7NzHeo+Maa3Q/geTF5SDWg3W+iZtOz6A3ivQWg cUq4bQM9/7QW7Yf8xqMh0LA/t+njQRF7wkyHC6JAi5OsBmtosQuu0kjI8uVKou7mxg7p 3Y4YmSMdhF6i86mSLSMIuVezY8fJ1Kts4XoxmJmXHgcUo/QmCno1KYoTSrFVk5QQ1O33 pOqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i6si2306493ejs.659.2020.12.07.04.37.29; Mon, 07 Dec 2020 04:37:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727010AbgLGMfz (ORCPT + 99 others); Mon, 7 Dec 2020 07:35:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50552 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726370AbgLGMfz (ORCPT ); Mon, 7 Dec 2020 07:35:55 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D45DC0613D0; Mon, 7 Dec 2020 04:35:15 -0800 (PST) Received: from n0-1 by orbyte.nwl.cc with local (Exim 4.94) (envelope-from ) id 1kmFjT-00008H-VU; Mon, 07 Dec 2020 13:35:12 +0100 Date: Mon, 7 Dec 2020 13:35:11 +0100 From: Phil Sutter To: Steffen Klassert Cc: linux-crypto@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: Re: XFRM interface and NF_INET_LOCAL_OUT hook Message-ID: <20201207123511.GN4647@orbyte.nwl.cc> Mail-Followup-To: Phil Sutter , Steffen Klassert , linux-crypto@vger.kernel.org, netfilter-devel@vger.kernel.org References: <20201125112342.GA11766@orbyte.nwl.cc> <20201126094021.GK8805@gauss3.secunet.de> <20201126131200.GH4647@orbyte.nwl.cc> <20201127095511.GD9390@gauss3.secunet.de> <20201127141048.GL4647@orbyte.nwl.cc> <20201202131847.GB85961@gauss3.secunet.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201202131847.GB85961@gauss3.secunet.de> Sender: Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Steffen, On Wed, Dec 02, 2020 at 02:18:47PM +0100, Steffen Klassert wrote: > On Fri, Nov 27, 2020 at 03:10:48PM +0100, Phil Sutter wrote: [...] > > diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c > > index aa4cdcf69d471..24af61c95b4d4 100644 > > --- a/net/xfrm/xfrm_interface.c > > +++ b/net/xfrm/xfrm_interface.c > > @@ -317,7 +317,8 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) > > skb_dst_set(skb, dst); > > skb->dev = tdev; > > > > - err = dst_output(xi->net, skb->sk, skb); > > + err = NF_HOOK(skb_dst(skb)->ops->family, NF_INET_LOCAL_OUT, xi->net, > > + skb->sk, skb, NULL, skb_dst(skb)->dev, dst_output); > > if (net_xmit_eval(err) == 0) { > > struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats); > > I don't mind that change, but we have to be carefull on namespace transition. > xi->net is the namespace 'behind' the xfrm interface. I guess this is the > namespace where you want to do the match because that is the namespace > that has the policies and states for the xfrm interface. So I think that > change is correct, I just wanted to point that out explicitely. Thanks for the heads-up, I didn't consider this at all! But indeed I think it makes sense. I can move the xfrm interface into a netns after setting things up, then inside that netns netfilter only sees the plain "inner" packets and no associated ipsec context. This is correct as the netns doesn't have any knowledge of the policies pesent in initial netns. I'll submit the patch formally. Thanks, Phil