Hi Steffen, On Wed, Dec 02, 2020 at 02:18:47PM +0100, Steffen Klassert wrote: > On Fri, Nov 27, 2020 at 03:10:48PM +0100, Phil Sutter wrote: [...] > > diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c > > index aa4cdcf69d471..24af61c95b4d4 100644 > > --- a/net/xfrm/xfrm_interface.c > > +++ b/net/xfrm/xfrm_interface.c > > @@ -317,7 +317,8 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) > > skb_dst_set(skb, dst); > > skb->dev = tdev; > > > > - err = dst_output(xi->net, skb->sk, skb); > > + err = NF_HOOK(skb_dst(skb)->ops->family, NF_INET_LOCAL_OUT, xi->net, > > + skb->sk, skb, NULL, skb_dst(skb)->dev, dst_output); > > if (net_xmit_eval(err) == 0) { > > struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats); > > I don't mind that change, but we have to be carefull on namespace transition. > xi->net is the namespace 'behind' the xfrm interface. I guess this is the > namespace where you want to do the match because that is the namespace > that has the policies and states for the xfrm interface. So I think that > change is correct, I just wanted to point that out explicitely. Thanks for the heads-up, I didn't consider this at all! But indeed I think it makes sense. I can move the xfrm interface into a netns after setting things up, then inside that netns netfilter only sees the plain "inner" packets and no associated ipsec context. This is correct as the netns doesn't have any knowledge of the policies pesent in initial netns. I'll submit the patch formally. Thanks, Phil