[PATCH 0/1 v2] [bionic:linux, focal:linux, hirsute:linux, impish:linux] ebpf: fix mark management wrt bpf_redirect

Tim Gardner tim.gardner at canonical.com
Thu Jul 29 12:51:17 UTC 2021

v2 - this also applies to Bionic. The original offending commit was released in v3.12.

BugLink: https://bugs.launchpad.net/bugs/1935040


The ebpf function 'bpf_redirect' reset the mark when used with the flag BPF_F_INGRESS.
There are two main problems with that:
 - it's not consistent between legacy tunnels and ebpf;
 - it's not consistent between ingress and egress.

In fact, the eBPF program can easily reset the mark, but it cannot preserve it.

This kind of patch was already done in the past, see commit 963a88b31ddb
("tunnels: harmonize cleanup done on skb on xmit path"), commit ea23192e8e57
("tunnels: harmonize cleanup done on skb on rx path") and commit
213dd74aee76 ("skbuff: Do not scrub skb mark within the same name space").


This is fixed upstream with commit ff70202b2d1a ("dev_forward_skb: do not scrub
skb mark within the same name space").


[Test Case]

Mark a packet in the POSTROUTING hook, redirect it to another interface and
display it with a netfilter log rule to check the mark.

[Where problems could occur]

A user could expect that the mark is reset after a call to bpf_redirect(BPF_F_INGRESS),
but he could easily reset it in the eBPF program himself.

[Other Info]

More information about the kernel-team mailing list