On 07/30/15 at 04:16pm, Joe Stringer wrote: > On 30 July 2015 at 11:40, Thomas Graf <tg...@suug.ch> wrote: > > On 07/30/15 at 11:12am, Joe Stringer wrote: > >> Signed-off-by: Joe Stringer <joestrin...@nicira.com> > > > > Can you write a few lines on why this is needed? I have flows which > > use the mark to communicate with netfilter through internal ports. > > The problem I was seeing is when packets come from a different > namespace on the localhost, they still have conntrack data associated. > This doesn't make sense, so the intention is to perform nf_reset(). > However, it seems like we should actually be doing a bit more - at > least the skb_dst_drop() and perhaps some of the other stuff in > skb_scrub_packet(). > > Do you want to retain the mark when transitioning between namespaces?
Since we have retained it so far I think we should keep on doing that. I'm pretty sure there are users of it out there besides me. As you know, it's common to have tap devices in between OVS and the guest in OpenStack and install netfilter rules there. As for whether we should scrub it in between namespaces. Probably yes but it's definitely tremendously useful to be able to transfer some metadata (mark and dst metadata) between namespaces. The default behaviour should probably be to scrub it with a flag to keep it. If that flag is not set and nsid of port != bridge then we scrub the mark and other metadata. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html