NACK: [PATCH 0/1] [focal:linux, hirsute:linux, impish:linux] ebpf: fix mark management wrt bpf_redirect
Tim Gardner
tim.gardner at canonical.com
Thu Jul 29 12:46:20 UTC 2021
v2 on the way
On 7/29/21 6:33 AM, Tim Gardner wrote:
> BugLink: https://bugs.launchpad.net/bugs/1935040
>
> [Impact]
>
> The ebpf function 'bpf_redirect' reset the mark when used with the flag BPF_F_INGRESS.
> There are two main problems with that:
> - it's not consistent between legacy tunnels and ebpf;
> - it's not consistent between ingress and egress.
>
> In fact, the eBPF program can easily reset the mark, but it cannot preserve it.
>
> This kind of patch was already done in the past, see commit 963a88b31ddb
> ("tunnels: harmonize cleanup done on skb on xmit path"), commit ea23192e8e57
> ("tunnels: harmonize cleanup done on skb on rx path") and commit
> 213dd74aee76 ("skbuff: Do not scrub skb mark within the same name space").
>
> [Fix]
>
> This is fixed upstream with commit ff70202b2d1a ("dev_forward_skb: do not scrub
> skb mark within the same name space").
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff70202b2d1a
>
>
> [Test Case]
>
> Mark a packet in the POSTROUTING hook, redirect it to another interface and
> display it with a netfilter log rule to check the mark.
>
> [Where problems could occur]
>
> A user could expect that the mark is reset after a call to bpf_redirect(BPF_F_INGRESS),
> but he could easily reset it in the eBPF program himself.
>
>
> [Other Info]
>
>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list