lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ad019c34-6b18-9bd8-047f-6688cc4a3b8b@gmail.com>
Date:   Thu, 24 Jun 2021 15:16:51 +0300
From:   Eyal Birger <eyal.birger@...il.com>
To:     Nicolas Dichtel <nicolas.dichtel@...nd.com>
Cc:     netdev@...r.kernel.org, davem@...emloft.net, kuba@...nel.org,
        liran.alon@...cle.com, shmulik.ladkani@...il.com,
        daniel@...earbox.net
Subject: Re: [PATCH net] dev_forward_skb: do not scrub skb mark within the
 same name space

Hi Nicholas,

On 24/06/2021 11:05, Nicolas Dichtel wrote:
> The goal is to keep the mark during a bpf_redirect(), like it is done for
> legacy encapsulation / decapsulation, when there is no x-netns.
> This was initially done in commit 213dd74aee76 ("skbuff: Do not scrub skb
> mark within the same name space").
> 
> When the call to skb_scrub_packet() was added in dev_forward_skb() (commit
> 8b27f27797ca ("skb: allow skb_scrub_packet() to be used by tunnels")), the
> second argument (xnet) was set to true to force a call to skb_orphan(). At
> this time, the mark was always cleanned up by skb_scrub_packet(), whatever
> xnet value was.
> This call to skb_orphan() was removed later in commit
> 9c4c325252c5 ("skbuff: preserve sock reference when scrubbing the skb.").
> But this 'true' stayed here without any real reason.
> 
> Let's correctly set xnet in ____dev_forward_skb(), this function has access
> to the previous interface and to the new interface.

This change was suggested in the past [1] and I think one of the main 
concerns was breaking existing callers which assume the mark would be 
cleared [2].

Personally, I think the suggestion made in [3] adding a flag to 
bpf_redirect() makes a lot of sense for this use case.

Eyal.

[1] 
https://lore.kernel.org/netdev/1520953642-8145-1-git-send-email-liran.alon@oracle.com/

[2] https://lore.kernel.org/netdev/20180315112150.58586758@halley/

[3] 
https://lore.kernel.org/netdev/cd0b73e3-2cde-1442-4312-566c69571e8a@iogearbox.net/


> 
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com>
> ---
>   include/linux/netdevice.h | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index 5cbc950b34df..5ab2d1917ca1 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -4114,7 +4114,7 @@ static __always_inline int ____dev_forward_skb(struct net_device *dev,
>   		return NET_RX_DROP;
>   	}
>   
> -	skb_scrub_packet(skb, true);
> +	skb_scrub_packet(skb, !net_eq(dev_net(dev), dev_net(skb->dev)));
>   	skb->priority = 0;
>   	return 0;
>   }
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ