From: Liran Alon <LIRAN.ALON@ORACLE.COM>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
idan.brown@ORACLE.COM, yuval.shaia@ORACLE.COM
Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns
Date: Tue, 20 Mar 2018 17:34:38 +0200 [thread overview]
Message-ID: <5AB12A0E.2060704@ORACLE.COM> (raw)
In-Reply-To: <20180320.104759.796804827689233281.davem@davemloft.net>
On 20/03/18 16:47, David Miller wrote:
> From: Liran Alon <liran.alon@oracle.com>
> Date: Tue, 13 Mar 2018 17:07:22 +0200
>
>> Before this commit, dev_forward_skb() always cleared packet's
>> per-network-namespace info. Even if the packet doesn't cross
>> network namespaces.
>
> There was a lot of discussion about this patch.
>
> Particularly whether it could potentially break current
> users or not.
>
> If this is resolved and the patch should still be applied,
> please repost and the folks involved in this dicussion should
> add their ACKs.
>
> Thanks.
>
The problem is that I don't think we have reached an agreement.
I would be happy to here your opinion on the issue at hand here.
I personally don't understand why we should maintain
backwards-comparability to this behaviour. How would a user rely on the
fact that skb->mark is scrubbed when it is passed between 2 netdevs on
the same netns but only when it is passed between very specific netdev
type (one of them being veth-peers).
This behaviour seems to have been created by mistake.
This feature is not documented to user-mode and I don't see why it is
legit for the user to rely on it.
In addition, even if we do want to maintain backwards-comparability to
this behaviour, I think it is enough to have an opt-in flag in
/proc/sys/net/core/ that when set to 1 will activate the fix in
dev_forward_skb() provided by this patch. That would also be a very
simple change to the patch provided here.
Do you agree? Or do you think we should have a flag per netdev like
suggested in other replies to this thread?
Thanks,
-Liran
next prev parent reply other threads:[~2018-03-20 15:34 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-13 15:07 [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns Liran Alon
2018-03-13 16:13 ` Yuval Shaia
2018-03-14 12:03 ` Yuval Shaia
2018-03-15 9:21 ` Shmulik Ladkani
2018-03-15 11:56 ` Daniel Borkmann
2018-03-15 12:50 ` Shmulik Ladkani
2018-03-15 15:13 ` Daniel Borkmann
2018-03-15 15:54 ` Shmulik Ladkani
2018-03-15 17:48 ` Daniel Borkmann
2018-03-20 14:47 ` David Miller
2018-03-20 15:34 ` Liran Alon [this message]
2018-03-20 16:00 ` David Miller
2018-03-20 16:11 ` Liran Alon
2018-03-20 16:34 ` David Miller
2018-03-20 16:39 ` Liran Alon
2018-03-20 18:51 ` valdis.kletnieks
2018-03-20 21:12 ` Liran Alon
2018-03-15 12:14 Liran Alon
2018-03-15 12:23 Liran Alon
2018-03-15 14:35 ` Roman Mashak
2018-03-15 14:53 ` Daniel Borkmann
2018-03-15 15:01 Liran Alon
2018-03-15 16:11 ` Shmulik Ladkani
2018-03-15 15:05 Liran Alon
2018-03-15 16:35 Liran Alon
2018-03-15 16:50 ` Shmulik Ladkani
2018-03-15 17:14 Liran Alon
2018-03-20 16:24 ` Eric W. Biederman
2018-03-20 16:44 ` Liran Alon
2018-03-20 17:07 ` Ben Greear
2018-03-20 18:35 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5AB12A0E.2060704@ORACLE.COM \
--to=liran.alon@oracle.com \
--cc=davem@davemloft.net \
--cc=idan.brown@ORACLE.COM \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=yuval.shaia@ORACLE.COM \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.