skbuff: Do not scrub skb mark within the same name space

On Wed, Apr 15, 2015 at 05:41:26PM +0200, Nicolas Dichtel wrote: > Le 15/04/2015 15:57, Herbert Xu a écrit : > >On Wed, Apr 15, 2015 at 06:22:29PM +0800, Herbert Xu wrote: > [snip] > >Subject: skbuff: Do not scrub skb mark within the same name space > > > >The commit ea23192e8e577dfc51e0f4fc5ca113af334edff9 ("tunnels: > Maybe add a Fixes tag? > Fixes: ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path") > > >harmonize cleanup done on skb on rx path") broke anyone trying to > >use netfilter marking across IPv4 tunnels. While most of the > >fields that are cleared by skb_scrub_packet don't matter, the > >netfilter mark must be preserved. > > > >This patch rearranges skb_scurb_packet to preserve the mark field. > nit: s/scurb/scrub > > Else it's fine for me. Sure. PS I used the wrong email for James the first time around. So let me repeat the question here. Should secmark be preserved or cleared across tunnels within the same name space? In fact, do our security models even support name spaces? ---8<--- The commit ea23192e8e577dfc51e0f4fc5ca113af334edff9 ("tunnels: harmonize cleanup done on skb on rx path") broke anyone trying to use netfilter marking across IPv4 tunnels. While most of the fields that are cleared by skb_scrub_packet don't matter, the netfilter mark must be preserved. This patch rearranges skb_scrub_packet to preserve the mark field. Fixes: ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2015-04-15 21:03:27 -0400
committer: David S. Miller <davem@davemloft.net> 2015-04-16 14:20:40 -0400
commit: 213dd74aee765d4e5f3f4b9607fef0cf97faa2af (patch)
tree: cdc47056012c571b67249a68129dee21886cf6f4 /net
parent: 4c0ee414e877b899f7fc80aafb98d9425c02797f (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index f9800f4059b4..d1967dab9cc6 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4124,18 +4124,21 @@ EXPORT_SYMBOL(skb_try_coalesce);
 */
 void skb_scrub_packet(struct sk_buff *skb, bool xnet)
 {
-        if (xnet)
-                skb_orphan(skb);
        skb->tstamp.tv64 = 0;
        skb->pkt_type = PACKET_HOST;
        skb->skb_iif = 0;
        skb->ignore_df = 0;
        skb_dst_drop(skb);
-        skb->mark = 0;
        skb_sender_cpu_clear(skb);
        secpath_reset(skb);
        nf_reset(skb);
        nf_reset_trace(skb);
+        if (!xnet)
+                return;
+        skb_orphan(skb);
+        skb->mark = 0;
 }
 EXPORT_SYMBOL_GPL(skb_scrub_packet);
author	Herbert Xu <herbert@gondor.apana.org.au>	2015-04-15 21:03:27 -0400
committer	David S. Miller <davem@davemloft.net>	2015-04-16 14:20:40 -0400
commit	213dd74aee765d4e5f3f4b9607fef0cf97faa2af (patch)
tree	cdc47056012c571b67249a68129dee21886cf6f4 /net
parent	4c0ee414e877b899f7fc80aafb98d9425c02797f (diff)