[Devel] [PATCH RHEL8 COMMIT] ve/venet: drop skb marks on VE boundary

Konstantin Khorenko khorenko at virtuozzo.com
Tue May 4 17:34:33 MSK 2021 

The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.25
------>
commit b1f830bdea00ecbf3e4d9a72856eab6911c95877
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Tue May 4 17:34:33 2021 +0300

    ve/venet: drop skb marks on VE boundary
    
    Before this patch one can create venet based vz8 container and setup:
    
    On host:
    
    iptables -A OUTPUT -j MARK --set-mark 33
    
    In CT:
    
    iptables -A INPUT -m mark --mark 33 -j DROP
    
    This would leed all incomming traffic to container to be dropped in
    container (same in opposite direction). That is wrong... All packets
    that are sent to or received from container should not have any marks
    similar to what happens with packets to/from the real node.
    
    This is an only hunk from: ("vznetstat: Move the code to drop redundant
    skb marks to *_xmit() functions #PSBM-122082") which is still relevant,
    but let's make it work in both directions.
    
    https://jira.sw.ru/browse/PSBM-127785
    (cherry-picked from vz7 commit 0de95a0dad71 "(vznetstat: Move the code to drop
    redundant skb marks to *_xmit() functions #PSBM-122082"))
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 drivers/net/venetdev.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/drivers/net/venetdev.c b/drivers/net/venetdev.c
index cdf56b9e7ec1..2849f84545bf 100644
--- a/drivers/net/venetdev.c
+++ b/drivers/net/venetdev.c
@@ -509,6 +509,23 @@ static int venet_xmit(struct sk_buff *skb, struct net_device *dev)
 	skb_reset_mac_header(skb);
 	memset(skb->data - dev->hard_header_len, 0, dev->hard_header_len);
 
+	/*
+	 * Vzctl configures tc on Host for shaping based on skb->marks
+	 * which are set by nft "ingress" rules in host netns. We don't
+	 * want container user see those vz-specific marks.
+	 *
+	 * On the other hand someone might also set own marks inside a
+	 * Container, thus we don't want those user marks to conflict with
+	 * our traffic shaping on host.
+	 *
+	 * Same applies to intercontainer communication.
+	 *
+	 * => if the packet goes between different VEs we must drop all
+	 * skb marks.
+	 */
+	if (ve != dev_net(dev)->owner_ve)
+		skb->mark = 0;
+
 	nf_reset(skb);
 	length = skb->len;

More information about the Devel mailing list