From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACC91C64E75 for ; Fri, 27 Nov 2020 09:44:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5870E221F7 for ; Fri, 27 Nov 2020 09:44:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726877AbgK0JoT (ORCPT ); Fri, 27 Nov 2020 04:44:19 -0500 Received: from a.mx.secunet.com ([62.96.220.36]:35790 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726316AbgK0JoR (ORCPT ); Fri, 27 Nov 2020 04:44:17 -0500 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id C2191204B4; Fri, 27 Nov 2020 10:44:15 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CwqgY3zRmWPm; Fri, 27 Nov 2020 10:44:15 +0100 (CET) Received: from cas-essen-02.secunet.de (unknown [10.53.40.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 3E5802026E; Fri, 27 Nov 2020 10:44:15 +0100 (CET) Received: from mbx-essen-01.secunet.de (10.53.40.197) by cas-essen-02.secunet.de (10.53.40.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Fri, 27 Nov 2020 10:44:15 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Fri, 27 Nov 2020 10:44:14 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 8781531805CB; Fri, 27 Nov 2020 10:44:14 +0100 (CET) Date: Fri, 27 Nov 2020 10:44:14 +0100 From: Steffen Klassert To: Eyal Birger CC: , , , Subject: Re: [PATCH ipsec-next] xfrm: interface: support collect metadata mode Message-ID: <20201127094414.GC9390@gauss3.secunet.de> References: <20201121142823.3629805-1-eyal.birger@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20201121142823.3629805-1-eyal.birger@gmail.com> X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Sat, Nov 21, 2020 at 04:28:23PM +0200, Eyal Birger wrote: > This commit adds support for 'collect_md' mode on xfrm interfaces. > > Each net can have one collect_md device, created by providing the > IFLA_XFRM_COLLECT_METADATA flag at creation. This device cannot be > altered and has no if_id or link device attributes. > > On transmit to this device, the if_id is fetched from the attached dst > metadata on the skb. The dst metadata type used is METADATA_IP_TUNNEL > since the only needed property is the if_id stored in the tun_id member > of the ip_tunnel_info->key. Can we please have a separate metadata type for xfrm interfaces? Sharing such structures turned already out to be a bad idea on vti interfaces, let's try to avoid that misstake with xfrm interfaces. > On the receive side, xfrmi_rcv_cb() populates a dst metadata for each > packet received and attaches it to the skb. The if_id used in this case is > fetched from the xfrm state. This can later be used by upper layers such > as tc, ebpf, and ip rules. > > Because the skb is scrubed in xfrmi_rcv_cb(), the attachment of the dst > metadata is postponed until after scrubing. Similarly, xfrm_input() is > adapted to avoid dropping metadata dsts by only dropping 'valid' > (skb_valid_dst(skb) == true) dsts. > > Policy matching on packets arriving from collect_md xfrmi devices is > done by using the xfrm state existing in the skb's sec_path. > The xfrm_if_cb.decode_cb() interface implemented by xfrmi_decode_session() > is changed to keep the details of the if_id extraction tucked away > in xfrm_interface.c. > > Signed-off-by: Eyal Birger The rest of the patch looks good. Thanks!