| Message ID | 20150416010326.GA10864@gondor.apana.org.au |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
On Thu, 16 Apr 2015, Herbert Xu wrote: > On Wed, Apr 15, 2015 at 05:41:26PM +0200, Nicolas Dichtel wrote: > > Le 15/04/2015 15:57, Herbert Xu a écrit : > > >On Wed, Apr 15, 2015 at 06:22:29PM +0800, Herbert Xu wrote: > > [snip] > > >Subject: skbuff: Do not scrub skb mark within the same name space > > > > > >The commit ea23192e8e577dfc51e0f4fc5ca113af334edff9 ("tunnels: > > Maybe add a Fixes tag? > > Fixes: ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path") > > > > >harmonize cleanup done on skb on rx path") broke anyone trying to > > >use netfilter marking across IPv4 tunnels. While most of the > > >fields that are cleared by skb_scrub_packet don't matter, the > > >netfilter mark must be preserved. > > > > > >This patch rearranges skb_scurb_packet to preserve the mark field. > > nit: s/scurb/scrub > > > > Else it's fine for me. > > Sure. > > PS I used the wrong email for James the first time around. So > let me repeat the question here. Should secmark be preserved > or cleared across tunnels within the same name space? In fact, > do our security models even support name spaces? They don't support namespaces, and maintaining the label is critical for SELinux, at least, which mediates security for the system as a whole.
Le 16/04/2015 09:02, James Morris a écrit : > On Thu, 16 Apr 2015, Herbert Xu wrote: [snip] >> PS I used the wrong email for James the first time around. So >> let me repeat the question here. Should secmark be preserved >> or cleared across tunnels within the same name space? In fact, >> do our security models even support name spaces? > > They don't support namespaces, and maintaining the label is critical for > SELinux, at least, which mediates security for the system as a whole. Herbert, could you send a v4 of your patch with the secmark included? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Apr 16, 2015 at 09:35:31AM +0200, Nicolas Dichtel wrote:
> Herbert, could you send a v4 of your patch with the secmark included?
Actually this should go into a separate patch because it's a
straight revert and also that unlike the mark this should never
be cleared, even when you cross a namespace boundary.
But I will send a patch.
Cheers,
On 04/16/15 at 09:03am, Herbert Xu wrote: > The commit ea23192e8e577dfc51e0f4fc5ca113af334edff9 ("tunnels: > harmonize cleanup done on skb on rx path") broke anyone trying to > use netfilter marking across IPv4 tunnels. While most of the > fields that are cleared by skb_scrub_packet don't matter, the > netfilter mark must be preserved. > > This patch rearranges skb_scrub_packet to preserve the mark field. > > Fixes: ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path") > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Thomas Graf <tgraf@suug.ch> We should also add a flag to veth which expclitly allows to preserve the mark into the namespace. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Thomas Graf <tgraf@suug.ch> Date: Thu, 16 Apr 2015 09:33:35 +0100 > On 04/16/15 at 09:03am, Herbert Xu wrote: >> The commit ea23192e8e577dfc51e0f4fc5ca113af334edff9 ("tunnels: >> harmonize cleanup done on skb on rx path") broke anyone trying to >> use netfilter marking across IPv4 tunnels. While most of the >> fields that are cleared by skb_scrub_packet don't matter, the >> netfilter mark must be preserved. >> >> This patch rearranges skb_scrub_packet to preserve the mark field. >> >> Fixes: ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path") >> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> > > Acked-by: Thomas Graf <tgraf@suug.ch> > > We should also add a flag to veth which expclitly allows to preserve > the mark into the namespace. Applied and queued up for -stable, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 3b6e583..a185427 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -4124,19 +4124,22 @@ EXPORT_SYMBOL(skb_try_coalesce); */ void skb_scrub_packet(struct sk_buff *skb, bool xnet) { - if (xnet) - skb_orphan(skb); skb->tstamp.tv64 = 0; skb->pkt_type = PACKET_HOST; skb->skb_iif = 0; skb->ignore_df = 0; skb_dst_drop(skb); - skb->mark = 0; skb_sender_cpu_clear(skb); skb_init_secmark(skb); secpath_reset(skb); nf_reset(skb); nf_reset_trace(skb); + + if (!xnet) + return; + + skb_orphan(skb); + skb->mark = 0; } EXPORT_SYMBOL_GPL(skb_scrub_packet);