Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4983478pxu;
        Thu, 10 Dec 2020 10:01:52 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyyt8OGBE+DZVLnDSbsis30tyyVQ0EoueQPHrW69ODruX2PaZjUWSZoqRWgW5vTEy+6eapz
X-Received: by 2002:a17:906:74c1:: with SMTP id z1mr7706334ejl.182.1607623312600;
        Thu, 10 Dec 2020 10:01:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1607623312; cv=none;
        d=google.com; s=arc-20160816;
        b=BE1JVmuBEIZKPnrYC+X8zHxjFmFHKqfpCwT2qlKbftfAKDD7+4cgBCVLT9KqHE5SUs
         7A7CXPHxjQV1GvAiQDH3pYLIBhghiDcPGbWHTq6PX3q+iOfyzC5fECz8Digq2TB72kTW
         TtFhvwEjmsTB9PtWcE6UwHPaKnBl/BTTeDJW/zKBmTUThKdUnQSSEPHfsGp++hanBKDU
         z2TuJ1K7Qt1kUiHdKjHisT1FVc3dALoE1Mx4saX3vY1gSrvif0E93J+tFeGV3aCSSX9g
         NNuy23tTpa0vadJOKbtApX1hQd3qa4Ead1dxu64tAf++X+rGG37PeYDKIusipWPBYlLe
         DAVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date;
        bh=BiOcLRufSw09KIgCm79pog0CELUPvDIAzgU5FKMt6Iw=;
        b=Sb3em9AjBua6t53h7cHW9Ybgti1PRRlpGsX3ThSi6oMzotQN32zdxeDCGndlSRGm0c
         6klQN1nLrCaX8iKMqTAPwHr1Z1Vi3pcVWEsAHruUM/k6A97LBjv967GLPdPs+qhleMOf
         llK5TLLTyc4hNBs2f8IhMW3eDxZOTBoXf7nW3KnWQKDKs7PR2FvSzCNWdxsnVmOdgH9a
         QKVXUmZjGfPePS4xMZh4H7J8ztC3IWxir4A762jXBau0ee0RbSAzlluTlvQxT4pG+W3T
         Xys7+KKok2hWG2dcI56oaNwcluSQcj42HnomVjambzGSIT9drVye/pwquGAzjOMjakli
         X9Aw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bs12si2952359ejb.127.2020.12.10.10.01.21;
        Thu, 10 Dec 2020 10:01:52 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2393006AbgLJR63 (ORCPT <rfc822;rusydi.hasan@gmail.com>
        + 99 others); Thu, 10 Dec 2020 12:58:29 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36842 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2393004AbgLJR6Z (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Thu, 10 Dec 2020 12:58:25 -0500
Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DEBB5C0613CF;
        Thu, 10 Dec 2020 09:57:44 -0800 (PST)
Received: from n0-1 by orbyte.nwl.cc with local (Exim 4.94)
        (envelope-from <n0-1@orbyte.nwl.cc>)
        id 1knQCC-0004PW-Ga; Thu, 10 Dec 2020 18:57:40 +0100
Date:   Thu, 10 Dec 2020 18:57:40 +0100
From:   Phil Sutter <phil@nwl.cc>
To:     Nicolas Dichtel <nicolas.dichtel@6wind.com>
Cc:     Eyal Birger <eyal.birger@gmail.com>,
        Steffen Klassert <steffen.klassert@secunet.com>,
        linux-crypto@vger.kernel.org, netfilter-devel@vger.kernel.org,
        Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: Re: [PATCH v2] xfrm: interface: Don't hide plain packets from
 netfilter
Message-ID: <20201210175740.GI4647@orbyte.nwl.cc>
Mail-Followup-To: Phil Sutter <phil@nwl.cc>,
        Nicolas Dichtel <nicolas.dichtel@6wind.com>,
        Eyal Birger <eyal.birger@gmail.com>,
        Steffen Klassert <steffen.klassert@secunet.com>,
        linux-crypto@vger.kernel.org, netfilter-devel@vger.kernel.org,
        Linux Kernel Network Developers <netdev@vger.kernel.org>
References: <20201207134309.16762-1-phil@nwl.cc>
 <CAHsH6Gupw7o96e5hOmaLBCZtqgoV0LZ4L7h-Y+2oROtXSXvTxw@mail.gmail.com>
 <20201208185139.GZ4647@orbyte.nwl.cc>
 <CAHsH6GvT=Af-BAWK0z_CdrYWPn0qt+C=BRjy10MLRNhLWfH0rQ@mail.gmail.com>
 <9fc5cbb8-26c7-c1c2-2018-3c0cd8c805f4@6wind.com>
 <CAHsH6GsoavW+435MOTKy33iznMc_-JZ-kndr+G=YxuW7DWLNPA@mail.gmail.com>
 <b5c1259b-71e8-57d2-85f2-d5971f33e977@6wind.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <b5c1259b-71e8-57d2-85f2-d5971f33e977@6wind.com>
Sender:  <n0-1@orbyte.nwl.cc>
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

Hi Nicolas,

On Thu, Dec 10, 2020 at 02:18:45PM +0100, Nicolas Dichtel wrote:
> Le 10/12/2020 à 12:48, Eyal Birger a écrit :
> > On Thu, Dec 10, 2020 at 1:10 PM Nicolas Dichtel
> > <nicolas.dichtel@6wind.com> wrote:
> [snip]
> > I also think they should be consistent. But it'd still be confusing to me
> > to get an OUTPUT hook on the inner packet in the forwarding case.
> I re-read the whole thread and I agree with you. There is no reason to pass the
> inner packet through the OUTPUT hook (my comment about the consistency with ip
> tunnels is still valid ;-)).
> Sorry for the confusion.
> 
> Phil, with nftables, you can match the 'kind' of the interface, that should be
> enough to match packets, isn't it?

Yes, sure. Also, the inner packet passes POSTROUTING hook with ipsec
context present, it's just not visible in OUTPUT. Of course the broader
question is what do people use ipsec context matches for. If it's really
just to ensure traffic is encrypted, xfrm_interface alone is sufficient.

Originally this was reported as "ipsec match stops working if
xfrm_interface is used" and I suspected it's a bug in the driver.
Knowing the behaviour is expected (and at least consistent with vti),
the case is closed from my side. :)

Thanks, Phil