On Wed, Sep 18, 2024 at 08:45:23AM -0400, Willem de Bruijn wrote: > Tiago Lam wrote: > > In order to check if egress traffic should be allowed through, we run a > > reverse socket lookup (i.e. normal socket lookup with the src/dst > > addresses and ports reversed) to check if the corresponding ingress > > traffic is allowed in. > > The subject and this description makes it sound that the change always > runs a reverse sk_lookup on sendmsg. > > It also focuses on the mechanism, rather than the purpose. > > The feature here adds IP_ORIGDSTADDR as a way to respond from a > user configured address. With the sk_lookup limited to this new > special case, as a safety to allow it. > > If I read this correctly, I suggest rewording the cover letter and > commit to make this intent and behavior more explicit. >
I think that makes sense, given this is really about two things: 1. Allowing users to use IP_ORIGDSTADDR to set src address and/or port on sendmsg(); 2. When they do, allow for that return traffic to exit without any extra configuration, thus limiting how users can take advantage of this new functionality. I've made a few changes which hopefully makes that clearer in v2, which I'm sending shortly. Thanks for these suggestions! Tiago.
