On 3/19/21 10:11 AM, Ishaan Gandhi wrote: > Thank you. Would it be better to do instead: > > + if_index = skb->skb_iif; > > or > > + if_index = ip_version == 4 ? inet_iif(skb) : skb->skb_iif; >
If the packet comes in via an interface assigned to a VRF, skb_iif is most likely the VRF index which is not what you want. The general problem of relying on skb_iif was discussed on v1 and v2 of your patch. Returning an iif that is a VRF, as an example, leaks information about the networking configuration of the device which from a quick reading of the RFC is not the intention. Further, the Security Considerations section recommends controls on what information can be returned where you have added a single sysctl that determines if all information or none is returned. Further, it is not a a per-device control but a global one that applies to all net devices - though multiple entries per netdevice has a noticeable cost in memory at scale. In the end it seems to me the cost benefit is not there for a feature like this.
