Tiago Lam wrote: > In order to check if egress traffic should be allowed through, we run a > reverse socket lookup (i.e. normal socket lookup with the src/dst > addresses and ports reversed) to check if the corresponding ingress > traffic is allowed in.
The subject and this description makes it sound that the change always runs a reverse sk_lookup on sendmsg. It also focuses on the mechanism, rather than the purpose. The feature here adds IP_ORIGDSTADDR as a way to respond from a user configured address. With the sk_lookup limited to this new special case, as a safety to allow it. If I read this correctly, I suggest rewording the cover letter and commit to make this intent and behavior more explicit. > Thus, if there's a sk_lookup reverse call > returns a socket that matches the egress socket, we also let the egress > traffic through - following the principle of, allowing return traffic to > proceed if ingress traffic is allowed in. The reverse lookup is only > performed in case an sk_lookup ebpf program is attached and the source > address and/or port for the return traffic have been modified. > > The src address and port can be modified by using ancilliary messages. > Up until now, it was possible to specify a different source address to > sendmsg by providing it in an IP_PKTINFO anciliarry message, but there's > no way to change the source port. This patch also extends the ancilliary > messages supported by sendmsg to support the IP_ORIGDSTADDR ancilliary > message, reusing the same cmsg and struct used in recvmsg - which > already supports specifying a port. > > Suggested-by: Jakub Sitnicki <ja...@cloudflare.com> > Signed-off-by: Tiago Lam <tiago...@cloudflare.com>
