From mboxrd@z Thu Jan 1 00:00:00 1970 From: Cong Wang Subject: Re: [PATCH net-next] net: preserve sock reference when scrubbing the skb. Date: Wed, 27 Jun 2018 11:59:59 -0700 Message-ID: References: <20180625155610.30802-1-fbl@redhat.com> <48e15faf-f935-0166-e1db-18f7286e7264@gmail.com> <20180626220300.GT19565@plex.lan> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Cc: Flavio Leitner , Linux Kernel Network Developers , Paolo Abeni , David Miller , Florian Westphal , NetFilter To: Eric Dumazet Return-path: Received: from mail-pf0-f194.google.com ([209.85.192.194]:42451 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965984AbeF0TAM (ORCPT ); Wed, 27 Jun 2018 15:00:12 -0400 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Tue, Jun 26, 2018 at 7:35 PM Eric Dumazet wrote: > > > > On 06/26/2018 05:44 PM, Cong Wang wrote: > > > With this, a netns could totally throttle a TCP socket in a different > > netns by holding the packets infinitely (e.g. putting them in a loop). > > This is where the isolation breaks. > > > > That is fine, really. Admin error -> Working as intended. The point is never it is an error or not, the point is one netns could influence another one with this change. > > The current scrubbing is simply wrong, not documented, and added by someone > who had absolutely not intended all the side effects. > IIRC, this skb_orphan() was introduced much earlier than TSQ, probably from the beginning of veth. Leaving the stack should be effectively equivalent to leaving the host, from the view of network isolation.