APPLIED[B/F/H]: [PATCH 0/1 v2] [bionic:linux, focal:linux, hirsute:linux, impish:linux] ebpf: fix mark management wrt bpf_redirect
Kelsey Skunberg
kelsey.skunberg at canonical.com
Fri Aug 13 01:02:11 UTC 2021
Applied to B/F/H master-next. Thank you!
-Kelsey
On 2021-07-29 06:51:17 , Tim Gardner wrote:
> v2 - this also applies to Bionic. The original offending commit was released in v3.12.
>
> BugLink: https://bugs.launchpad.net/bugs/1935040
>
> [Impact]
>
> The ebpf function 'bpf_redirect' reset the mark when used with the flag BPF_F_INGRESS.
> There are two main problems with that:
> - it's not consistent between legacy tunnels and ebpf;
> - it's not consistent between ingress and egress.
>
> In fact, the eBPF program can easily reset the mark, but it cannot preserve it.
>
> This kind of patch was already done in the past, see commit 963a88b31ddb
> ("tunnels: harmonize cleanup done on skb on xmit path"), commit ea23192e8e57
> ("tunnels: harmonize cleanup done on skb on rx path") and commit
> 213dd74aee76 ("skbuff: Do not scrub skb mark within the same name space").
>
> [Fix]
>
> This is fixed upstream with commit ff70202b2d1a ("dev_forward_skb: do not scrub
> skb mark within the same name space").
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff70202b2d1a
>
> [Test Case]
>
> Mark a packet in the POSTROUTING hook, redirect it to another interface and
> display it with a netfilter log rule to check the mark.
>
> [Where problems could occur]
>
> A user could expect that the mark is reset after a call to bpf_redirect(BPF_F_INGRESS),
> but he could easily reset it in the eBPF program himself.
>
> [Other Info]
>
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list