Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns

[Ben Greear]

On 03/20/2018 09:44 AM, Liran Alon wrote:
> On 20/03/18 18:24, ebiederm@xxxxxxxxxxxx wrote:
> > I don't believe the current behavior is a bug.
> >
> > I looked through the history.  Basically skb_scrub_packet
> > started out as the scrubbing needed for crossing network
> > namespaces.
> >
> > Then tunnels which needed 90% of the functionality started
> > calling it, with the xnet flag added.  Because the tunnels
> > needed to preserve their historic behavior.
> >
> > Then dev_forward_skb started calling skb_scrub_packet.
> >
> > A veth pair is supposed to give the same behavior as a cross-over
> > cable plugged into two local nics.  A cross over cable won't
> > preserve things like the skb mark.  So I don't see why anyone would
> > expect a veth pair to preserve the mark.
>
> I disagree with this argument.
>
> I think that a skb crossing netns is what simulates a real packet crossing physical computers. Following your argument, why would skb->mark should be preserved
> when crossing netdevs on same netns via routing? But this does today preserve skb->mark.
>
> Therefore, I do think that skb->mark should conceptually only be scrubbed when crossing netns. Regardless of the netdev used to cross it.

It should be scrubbed in VETH as well.  That is one way to make virtual routers.  Possibly
the newer VRF features will give another better way to do it, but you should not break
things that used to work.

Now, if you want to add a new feature that allows one to configure the kernel (or VETH) for
a new behavior, then that might be something to consider.

> > Right now I don't see the point of handling packets that don't cross
> > network namespace boundaries specially, other than to preserve backwards
> > compatibility.

Well, backwards compat is a big deal all by itself!

Thanks,
Ben

> > Eric


--
Ben Greear <greearb@xxxxxxxxxxxxxxx>
Candela Technologies Inc  http://www.candelatech.com