Patrick McHardy <kaber@xxxxxxxxx> writes: > Arnd Bergmann wrote: >> On Tuesday 24 November 2009, Patrick McHardy wrote: >>> Eric W. Biederman wrote: >>>> I don't quite follow what you intend with dev_queue_xmit when the macvlan >>>> is in one namespace and the real physical device is in another. Are >>>> you mentioning that the packet classifier runs in the namespace where >>>> the primary device lives with packets from a different namespace? >>> Exactly. And I think we should make sure that the namespace of >>> the macvlan device can't (deliberately or accidentally) cause >>> misclassification. >> >> This is independent of my series and a preexisting problem, right? > > Correct. > >> Which fields do you think need to be reset to maintain namespace >> isolation for the outbound path in macvlan? > > In addition to those already handled, I'd say > > - priority: affects qdisc classification, may refer to classes of the > old namespace > - ipvs_property: might cause packets to incorrectly skip netfilter hooks > - nf_trace: might trigger packet tracing > - nf_bridge: contains references to network devices in the old NS, > also indicates packet was bridged > - iif: index is only valid in the originating namespace > - tc_index: classification result, should only be set in the namespace > of the classifier > - tc_verd: RTTL etc. should begin at zero again > - probably secmark. Wow. I thought we were trying to reduce skbuff, where did all of those fields come from? Regarless that sounds like a good list to get stomped. Eric _______________________________________________ Virtualization mailing list Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/virtualization
