From: Jiri Pirko <jiri@resnulli.us>
To: Roopa Prabhu <roopa@cumulusnetworks.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
Cong Wang <xiyou.wangcong@gmail.com>,
Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
Linux Kernel Network Developers <netdev@vger.kernel.org>,
David Ahern <dsa@cumulusnetworks.com>,
Jamal Hadi Salim <jhs@mojatatu.com>
Subject: Re: [RFC net-next] net: sch_clsact: add support for global per-netns classifier mode
Date: Wed, 6 Sep 2017 09:24:13 +0200 [thread overview]
Message-ID: <20170906072413.GC2523@nanopsycho> (raw)
In-Reply-To: <CAJieiUjPvte25P0VOdzYgB34TaLN_veTq3PhRc9yse7REmJaCw@mail.gmail.com>
Wed, Sep 06, 2017 at 06:04:17AM CEST, roopa@cumulusnetworks.com wrote:
>On Tue, Sep 5, 2017 at 3:45 PM, Daniel Borkmann <daniel@iogearbox.net> wrote:
>> On 09/06/2017 12:01 AM, Roopa Prabhu wrote:
>>>
>>> On Tue, Sep 5, 2017 at 11:18 AM, Cong Wang <xiyou.wangcong@gmail.com>
>>> wrote:
>>>>
>>>> On Tue, Sep 5, 2017 at 5:48 AM, Nikolay Aleksandrov
>>>> <nikolay@cumulusnetworks.com> wrote:
>>>>>
>>>>> Hi all,
>>>>> This RFC adds a new mode for clsact which designates a device's egress
>>>>> classifier as global per netns. The packets that are not classified for
>>>>> a particular device will be classified using the global classifier.
>>>>> We have needed a global classifier for some time now for various
>>>>> purposes and setting the single bridge or loopback/vrf device as the
>>
>>
>> Can you elaborate a bit more on the ... "we have needed a global
>> classifier for some time now for various purposes".
>
>Most of our acl's are global or use a wildcard. eg iptables supports
>global rules without an dev. We do end up having hundreds of netdevs.
>Another use case for the future is use of tc for policy based routing
>which requires global rules.
That is not how TC works. There are devices, qdiscs, blocks, chains. The
global approach does not fit. The block sharing gets you what you need,
without need for any ugly hack.
next prev parent reply other threads:[~2017-09-06 7:24 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-05 12:48 [RFC net-next] net: sch_clsact: add support for global per-netns classifier mode Nikolay Aleksandrov
2017-09-05 14:07 ` Jiri Pirko
2017-09-05 14:23 ` Jiri Pirko
2017-09-05 15:17 ` Roopa Prabhu
2017-09-05 18:18 ` Cong Wang
2017-09-05 18:25 ` Nikolay Aleksandrov
2017-09-05 22:01 ` Roopa Prabhu
2017-09-05 22:25 ` Jamal Hadi Salim
2017-09-06 4:09 ` Roopa Prabhu
2017-09-05 22:45 ` Daniel Borkmann
2017-09-05 23:12 ` Daniel Borkmann
2017-09-06 4:04 ` Roopa Prabhu
2017-09-06 7:24 ` Jiri Pirko [this message]
2017-09-06 14:19 ` Roopa Prabhu
2017-09-06 10:14 ` Nikolay Aleksandrov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170906072413.GC2523@nanopsycho \
--to=jiri@resnulli.us \
--cc=daniel@iogearbox.net \
--cc=dsa@cumulusnetworks.com \
--cc=jhs@mojatatu.com \
--cc=netdev@vger.kernel.org \
--cc=nikolay@cumulusnetworks.com \
--cc=roopa@cumulusnetworks.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.