On Fri, Feb 12, 2016 at 2:24 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Wed, Feb 10, 2016 at 7:33 AM, Mahesh Bandewar <mah...@bandewar.net> wrote: >> From: Mahesh Bandewar <mahe...@google.com> >> >> Scrub skb before hitting the iptable hooks to ensure packets hit >> these hooks. >> >> Signed-off-by: Mahesh Bandewar <mahe...@google.com> >> --- >> v1: initial patch >> v2: resend >> >> drivers/net/ipvlan/ipvlan_core.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/net/ipvlan/ipvlan_core.c >> b/drivers/net/ipvlan/ipvlan_core.c >> index 8c48bb2a94ea..21c380f9ccd5 100644 >> --- a/drivers/net/ipvlan/ipvlan_core.c >> +++ b/drivers/net/ipvlan/ipvlan_core.c >> @@ -365,7 +365,7 @@ static int ipvlan_process_v4_outbound(struct sk_buff >> *skb) >> ip_rt_put(rt); >> goto err; >> } >> - skb_dst_drop(skb); >> + skb_scrub_packet(skb, false); > > Hmm, I am feeling we should set the xnet param to be true here when the ipvlan > device is in a different namespace with the physical one? > Yes, that makes sense. I'll update the patch to reflect that.
> >> skb_dst_set(skb, &rt->dst); >> err = ip_local_out(net, skb->sk, skb); >> if (unlikely(net_xmit_eval(err))) >> @@ -403,7 +403,7 @@ static int ipvlan_process_v6_outbound(struct sk_buff >> *skb) >> dst_release(dst); >> goto err; >> } >> - skb_dst_drop(skb); >> + skb_scrub_packet(skb, false); > > Ditto. > > Thanks!
