From: Eyal Birger <eyal.birger@gmail.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
David Miller <davem@davemloft.net>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Linux Kernel Network Developers <netdev@vger.kernel.org>,
shmulik@metanetworks.com, Eyal Birger <eyal@metanetworks.com>
Subject: Re: [PATCH net-next,v2 2/2] net: sched: add em_ipt ematch for calling xtables matches
Date: Tue, 30 Jan 2018 10:48:08 +0200 [thread overview]
Message-ID: <20180130104808.7a0c2ac1@jimi> (raw)
In-Reply-To: <CAM_iQpW+3oQDaTQPmFf8sZYCTzRo7d4VTL0AKpPDFhV1F7c6Kg@mail.gmail.com>
On Sun, 28 Jan 2018 19:22:12 -0800
Cong Wang <xiyou.wangcong@gmail.com> wrote:
> On Fri, Jan 26, 2018 at 11:57 AM, Eyal Birger <eyal.birger@gmail.com>
> wrote:
> > On Fri, Jan 26, 2018 at 8:50 PM, Pablo Neira Ayuso
> > <pablo@netfilter.org> wrote:
> >> Isn't there a way to reject the use of this from ->change()? ie.
> >> from control plane configuration.
> >
> > I wasn't able to find a simple way of doing so:
> >
> > - AFAIU tc filters are detached from the qdiscs they operate on via
> > tcf_block instances
> > that may be shared by different qdiscs. I was not able to be sure
> > that filters attached to ingress qdiscs via tcf_blocks at
> > configuration time cannot be later be shared
> > with non ingress qdiscs. Nor was I able to find another classifier
> > making the ingress/egress
> > distinction at configuration time.
> >
> > - ematches are not provided with 'ingress/egress' information at
> > 'change()' invocation, though
> > of course the infrastructure could be extended to provide this,
> > given the distinction is available.
> >
>
> In the past you can check tp->q, but now we support shared tc filter
> block, so it is hard. I think your v1 is okay, which just silently
> passes the match on egress side. Or maybe we can just add a pr_info()
> unconditionally in em_ipt_change() saying only ingress is supported.
Thanks!
The motivation for allowing only ingress was to avoid skb modifications
on egress as when running the match on egress, skb->data must point to
the L3 header. Looking again at the calling flow e.g. from __dev_queue_xmit(),
I don't see a case where skb may be shared.
Similarly on ingress flow, sch_handle_ingress() modifies the skb, and
tc actions perform skb modification without share checking.
So as far as I can tell skb_pull() on the match is safe.
Is there a different code path I should be looking for?
If that is the case, perhaps the v1 approach supporting both directions
including skb_pull() can be resubmitted without the pr_notice once
net-next is open.
Eyal.
prev parent reply other threads:[~2018-01-30 8:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-26 16:48 [PATCH net-next,v2 0/2] net: sched: introduce em_ipt ematch Eyal Birger
2018-01-26 16:48 ` [PATCH net-next,v2 1/2] net: sched: ematch: pass protocol to ematch 'change()' handlers Eyal Birger
2018-01-26 16:48 ` [PATCH net-next,v2 2/2] net: sched: add em_ipt ematch for calling xtables matches Eyal Birger
2018-01-26 18:50 ` Pablo Neira Ayuso
2018-01-26 19:57 ` Eyal Birger
2018-01-29 3:22 ` Cong Wang
2018-01-30 8:48 ` Eyal Birger [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180130104808.7a0c2ac1@jimi \
--to=eyal.birger@gmail.com \
--cc=davem@davemloft.net \
--cc=eyal@metanetworks.com \
--cc=jhs@mojatatu.com \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=shmulik@metanetworks.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.