From patchwork Sat Nov 7 19:59:57 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Stringer X-Patchwork-Id: 541377 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (li376-54.members.linode.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 90D151402CC for ; Sun, 8 Nov 2015 07:02:02 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nicira_com.20150623.gappssmtp.com header.i=@nicira_com.20150623.gappssmtp.com header.b=g/TY7T6j; dkim-atps=neutral Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 99D5310AB7; Sat, 7 Nov 2015 12:00:43 -0800 (PST) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id DA5B810A69 for ; Sat, 7 Nov 2015 12:00:39 -0800 (PST) Received: from bar3.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id 625D6162F68 for ; Sat, 7 Nov 2015 13:00:39 -0700 (MST) X-ASG-Debug-ID: 1446926439-03dd7b490b1f110001-byXFYA Received: from mx3-pf3.cudamail.com ([192.168.14.3]) by bar3.cudamail.com with ESMTP id nx6tULvSPuE27MGE (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 07 Nov 2015 13:00:39 -0700 (MST) X-Barracuda-Envelope-From: joestringer@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.3 Received: from unknown (HELO mail-pa0-f46.google.com) (209.85.220.46) by mx3-pf3.cudamail.com with ESMTPS (RC4-SHA encrypted); 7 Nov 2015 20:10:46 -0000 Received-SPF: unknown (mx3-pf3.cudamail.com: Multiple SPF records returned) X-Barracuda-Apparent-Source-IP: 209.85.220.46 X-Barracuda-RBL-IP: 209.85.220.46 Received: by pasz6 with SMTP id z6so160774905pas.2 for ; Sat, 07 Nov 2015 12:00:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nicira_com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=U+lNqnCOXO/SyQijRaK7y5jtrRUKMlZzVl2NKQI0jZk=; b=g/TY7T6jaD5Sa+j/AHht4kj5VgbjHCY1QlrSQIhEtz49xAaXjnq1IivO8ZZYaNml5T TwV4OlxsHhyG4tqCnjdYFlr6VKIc/7FxPvFwSm4QvU4NWRMIfLJJlUT8EMISdWEILiB2 OSyJ6m3AuvxVq61NzgjyGo1L3racie+Zr5TM478kYh+4Jcm2ZpJrfrirQDehC5LSbyrQ +V76ZWf7J+QSmyiTV8QUMMuUQzRLPXg2qr1CABFAevi8hy0SOHMy5CYjkuoERqms6F+Z fbzX3ylvr7R6fX/YHqm0QseJINRCvaUtZczv8cZlkas0q9+QaUZ4axlqO2m/hbB3tdFB gFpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=U+lNqnCOXO/SyQijRaK7y5jtrRUKMlZzVl2NKQI0jZk=; b=gkeHtXXn0VP7vUUYtLwdkQQ87Fve+xgCGDWirCKUt81NYIyWTfsXOg4pbKffCbKvte Pa8VsKbQ2WqlxXIVYLFttunCthpGmpaIkwUJIspzInfIbbJth47VEEHMFOlEPZAs0zlz E+eWX9dSFBiiP5iarRCfeC6laNdsFAacF4gdu18zhQCQltJb9TEh4BfToG0uPw50gu2u 78NSem0zPJcFqOkjIM6kfMqUHv+U2pfldG7ZQfW3WXbvIXztgKnZ94DXjNKEbHsjXUcB YlRAmo3NbzHykaqoxnlCWcJav2ajJZXBkrkMd9duvEqYpF5qjuF19b/+2jXodp47/BsX 5sDQ== X-Gm-Message-State: ALoCoQmSNaKSKWDlNqIl/MIOrqRU5/xSvQ7630xnj1EMrDbdR3kt76zSzjmH5ktgk64McQxYCChK X-Received: by 10.68.245.138 with SMTP id xo10mr27168892pbc.50.1446926438280; Sat, 07 Nov 2015 12:00:38 -0800 (PST) Received: from localhost.localdomain ([208.91.2.4]) by smtp.gmail.com with ESMTPSA id nu5sm7312219pbb.65.2015.11.07.12.00.37 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 07 Nov 2015 12:00:37 -0800 (PST) X-CudaMail-Envelope-Sender: joestringer@nicira.com From: Joe Stringer To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V3-1106015564 X-CudaMail-DTE: 110715 X-CudaMail-Originating-IP: 209.85.220.46 Date: Sat, 7 Nov 2015 11:59:57 -0800 X-ASG-Orig-Subj: [##CM-V3-1106015564##][PATCH 19/23] datapath: Scrub skb between namespaces Message-Id: <1446926401-55723-20-git-send-email-joestringer@nicira.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1446926401-55723-1-git-send-email-joestringer@nicira.com> References: <1446926401-55723-1-git-send-email-joestringer@nicira.com> X-Barracuda-Connect: UNKNOWN[192.168.14.3] X-Barracuda-Start-Time: 1446926439 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [PATCH 19/23] datapath: Scrub skb between namespaces X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" If OVS receives a packet from another namespace, then the packet should be scrubbed. However, people have already begun to rely on the behaviour that skb->mark is preserved across namespaces, so retain this one field. This is mainly to address information leakage between namespaces when using OVS internal ports, but by placing it in ovs_vport_receive() it is more generally applicable, meaning it should not be overlooked if other port types are allowed to be moved into namespaces in future. Upstream: 740dbc289155 ("openvswitch: Scrub skb between namespaces") Signed-off-by: Joe Stringer --- datapath/vport.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/datapath/vport.c b/datapath/vport.c index 0951cbbdb4e6..899119f9f992 100644 --- a/datapath/vport.c +++ b/datapath/vport.c @@ -494,6 +494,15 @@ int ovs_vport_receive(struct vport *vport, struct sk_buff *skb, OVS_CB(skb)->input_vport = vport; OVS_CB(skb)->mru = 0; + if (unlikely(dev_net(skb->dev) != ovs_dp_get_net(vport->dp))) { + u32 mark; + + mark = skb->mark; + skb_scrub_packet(skb, true); + skb->mark = mark; + tun_info = NULL; + } + ovs_skb_init_inner_protocol(skb); skb_clear_ovs_gso_cb(skb); /* Extract flow from 'skb' into 'key'. */