On Wed, Sep 18, 2024 at 08:45:23AM -0400, Willem de Bruijn wrote:
Tiago Lam wrote:
In order to check if egress traffic should be allowed through, we run a reverse socket lookup (i.e. normal socket lookup with the src/dst addresses and ports reversed) to check if the corresponding ingress traffic is allowed in.
The subject and this description makes it sound that the change always runs a reverse sk_lookup on sendmsg.
It also focuses on the mechanism, rather than the purpose.
The feature here adds IP_ORIGDSTADDR as a way to respond from a user configured address. With the sk_lookup limited to this new special case, as a safety to allow it.
If I read this correctly, I suggest rewording the cover letter and commit to make this intent and behavior more explicit.
I think that makes sense, given this is really about two things: 1. Allowing users to use IP_ORIGDSTADDR to set src address and/or port on sendmsg(); 2. When they do, allow for that return traffic to exit without any extra configuration, thus limiting how users can take advantage of this new functionality.
I've made a few changes which hopefully makes that clearer in v2, which I'm sending shortly. Thanks for these suggestions!
Tiago.