[Devel] [PATCH RHEL8 COMMIT] ve/veth: drop skb marks on VE boundary
Konstantin Khorenko
khorenko at virtuozzo.com
Tue May 4 17:34:33 MSK 2021
The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.25
------>
commit cbea988276ad12294e7635148aee4d7eb06062a9
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Tue May 4 17:34:33 2021 +0300
ve/veth: drop skb marks on VE boundary
Before this patch one can create veth based vz8 container and setup:
On host:
iptables -A OUTPUT -j MARK --set-mark 33
In CT:
iptables -A INPUT -m mark --mark 33 -j DROP
This would leed all incomming traffic to container to be dropped in
container (same in opposite direction). That is wrong... All packets
that are sent to or received from container should not have any marks
similar to what happens with packets to/from the real node.
Now when we drop vznetstat in vz8 we can safely revert this hack:
Revert "ve/veth: don't drop skb->mark if NETIF_F_VENET is set"
This reverts commit 34a3e6097c97872df787de4ab6f9cbb9580e6625.
https://jira.sw.ru/browse/PSBM-127785
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
net/core/skbuff.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index cedc3dc9f1c6..5cb45c9226fd 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -5055,9 +5055,8 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet)
return;
ipvs_reset(skb);
+ skb->mark = 0;
skb->tstamp = 0;
- if (!(skb->dev->features & NETIF_F_VENET))
- skb->mark = 0;
}
EXPORT_SYMBOL_GPL(skb_scrub_packet);
More information about the Devel
mailing list