Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns

[Liran Alon]

On 20/03/18 16:47, David Miller wrote:
> From: Liran Alon <liran.alon@xxxxxxxxxx>
> Date: Tue, 13 Mar 2018 17:07:22 +0200
>
> > Before this commit, dev_forward_skb() always cleared packet's
> > per-network-namespace info. Even if the packet doesn't cross
> > network namespaces.
>
> There was a lot of discussion about this patch.
>
> Particularly whether it could potentially break current
> users or not.
>
> If this is resolved and the patch should still be applied,
> please repost and the folks involved in this dicussion should
> add their ACKs.
>
> Thanks.

The problem is that I don't think we have reached an agreement.
I would be happy to here your opinion on the issue at hand here.

I personally don't understand why we should maintain 
backwards-comparability to this behaviour. How would a user rely on the 
fact that skb->mark is scrubbed when it is passed between 2 netdevs on 
the same netns but only when it is passed between very specific netdev 
type (one of them being veth-peers).
This behaviour seems to have been created by mistake.
This feature is not documented to user-mode and I don't see why it is 
legit for the user to rely on it.

In addition, even if we do want to maintain backwards-comparability to 
this behaviour, I think it is enough to have an opt-in flag in 
/proc/sys/net/core/ that when set to 1 will activate the fix in 
dev_forward_skb() provided by this patch. That would also be a very 
simple change to the patch provided here.

Do you agree? Or do you think we should have a flag per netdev like 
suggested in other replies to this thread?

Thanks,
-Liran