Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3226643pxu; Tue, 8 Dec 2020 06:48:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJwyqZFjKuw515jJWz4lj43c0JC5wN7EeIYrOqRcXFfmAkRzi/7Er3y3vMsgF7es4q5NmgnU X-Received: by 2002:a17:906:b0d8:: with SMTP id bk24mr23191268ejb.113.1607438928729; Tue, 08 Dec 2020 06:48:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607438928; cv=none; d=google.com; s=arc-20160816; b=py5J+UbnosdbhkpzDgJ5XwHa2Fj+PQ6wIy4iaOva3lopdBlnQtQfOi3R1S5nfFkTo6 tM0aO7eJB/tJ/qoyxJPalqzY+4dXsFG1DyyCCUNrJuxTZba9byYDnvB6+IaDSM0xsWJn 7Jp/WjeazNqhwUDiMSfnoPpBZini/6pJ51Y4cV06IY4CUL4LKBOFRpZD7wGIfg6I8hTb 4Fiw7jEUcdEMrtNnAabwoWa93fIKKKYcne7qcEHye3Nn+qfESgaEd460CUxwAixi195q UEEenXeH3t4JidWwciIIsjDoaOZHP4HdKjlWXRXpQUICR06drmTztgx+80ofuXk+vae7 uJsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=UAkK5jHni9HllrRopYYiLmdi3EZEk2eB9x/rxa5QN5E=; b=tf5hiwklcLnLvxM6xS2jw7AJ9Efeew6Q5GRNIanoDdyhiJ2Ex/nGdr+LhImAhsIfeU gF0PiN/jHgLDR/V8aFvxoCTVOsj34NTuEEmOA8n92gyElE97sQGzV2/aLrKrfLEFU/5I bJwryQAuJicqveOPARLGzCdzQvrd/1HAYCnJG5r2kd6zYuA9JiryqL6ernDIg1KKe6mM ur1eFSJdMSiFGYezGsNTMlruX5B1xcXo5OhzeWnDEIDM/f05QtFWzzo26h7GtLlOeAi8 +X80QJzQhHbautOFLqjF7zH30kwcmyalTJ0MmwiJ3mOOKRBNWHLlJBByt731qFDoyDwl J1Zg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=viNwddBi; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o11si8327937ejg.118.2020.12.08.06.48.25; Tue, 08 Dec 2020 06:48:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=viNwddBi; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729856AbgLHOry (ORCPT + 99 others); Tue, 8 Dec 2020 09:47:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729840AbgLHOry (ORCPT ); Tue, 8 Dec 2020 09:47:54 -0500 Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22A6EC061749; Tue, 8 Dec 2020 06:47:14 -0800 (PST) Received: by mail-io1-xd41.google.com with SMTP id z5so17094725iob.11; Tue, 08 Dec 2020 06:47:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UAkK5jHni9HllrRopYYiLmdi3EZEk2eB9x/rxa5QN5E=; b=viNwddBii2g6zOX398mLVdQU6mJGm0XGdzujm1/OMwkIq5+nDn3K4GFE2bzZfJVAYq hmuRhn3hUNlXIevwsZ2++13skFgAoLHYiW5FrA4gEewPdKg3r8iIiLoVpvmDdyRGV1ck ufBp56izRIZ7KJYFzJQ0CCea85qIze8kvnRyK5RX+DcydriL5eqixKtB51tGsoiiMdi1 0mUt1d6+fcxnZEYk6QG3EAUz1+jwOHYUvIcDL2h4SxQAPmrmYKBPeyJvsi/oAZsEx3Zx FdFJmxb2Z4B+jhtdOLqxfMSuClx1IVi9gLP/8AGqmOUpONtK/GzkpahC9RYExZ93xeSm fe0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UAkK5jHni9HllrRopYYiLmdi3EZEk2eB9x/rxa5QN5E=; b=WvMANYve+6bQ0wjjmmivcXinpb5NM1vWVEZ7F9uwurg0r/DJjU+mVuJieDmcv8myw3 agabl4HUlt8wpq/0VVmvhl7dU4CMP5ngPxp2BaqrP5TgkIXjfKJapYK9qh2stpCw7QAr 4I+XPrCWC4+772KJfmScRkhX/a/43RY0fSns4vBZbk1MuyGVpMiMriED9+0xCfu79qac 8H7y8nsf7VeYez4gFqsh3an6hTPaVDdGd8/eEzyHrg8axSDwKwyUJO+ur80UGDN52y6Y om7WHiodD4mAhD/9BiEDcLwEFX/NWs5d5OELQpQqHDm7RlEDa4NAL/Zk4P9En2f/4hl+ kVcw== X-Gm-Message-State: AOAM5329H2MspGebGLOned1WmtInWCNTENr5Y+ECZv92YcPrt/4cKHP1 ubuvAJ44SP5+iux5W3oDWoNAL+M1F+wSfspJWc1o9H+RR/51/g== X-Received: by 2002:a05:6602:214b:: with SMTP id y11mr13725071ioy.78.1607438833340; Tue, 08 Dec 2020 06:47:13 -0800 (PST) MIME-Version: 1.0 References: <20201207134309.16762-1-phil@nwl.cc> In-Reply-To: <20201207134309.16762-1-phil@nwl.cc> From: Eyal Birger Date: Tue, 8 Dec 2020 16:47:02 +0200 Message-ID: Subject: Re: [PATCH v2] xfrm: interface: Don't hide plain packets from netfilter To: Phil Sutter Cc: Steffen Klassert , linux-crypto@vger.kernel.org, netfilter-devel@vger.kernel.org, Linux Kernel Network Developers , Nicolas Dichtel Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Phil, On Mon, Dec 7, 2020 at 4:07 PM Phil Sutter wrote: > > With an IPsec tunnel without dedicated interface, netfilter sees locally > generated packets twice as they exit the physical interface: Once as "the > inner packet" with IPsec context attached and once as the encrypted > (ESP) packet. > > With xfrm_interface, the inner packet did not traverse NF_INET_LOCAL_OUT > hook anymore, making it impossible to match on both inner header values > and associated IPsec data from that hook. > Why wouldn't locally generated traffic not traverse the NF_INET_LOCAL_OUT hook via e.g. __ip_local_out() when xmitted on an xfrmi? I would expect it to appear in netfilter, but without the IPsec context, as it's not there yet. > Fix this by looping packets transmitted from xfrm_interface through > NF_INET_LOCAL_OUT before passing them on to dst_output(), which makes > behaviour consistent again from netfilter's point of view. When an XFRM interface is used when forwarding, why would it be correct for NF_INET_LOCAL_OUT to observe the inner packet? What am I missing? Thanks! Eyal.