Re: [PATCH][RFC]: ingress socket filter by mark

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Dumazet <eric.dumazet@gmail.com>
To: hadi@cyberus.ca
Cc: netdev@vger.kernel.org, "David Miller" <davem@davemloft.net>,
	"Atis Elsts" <atis@mikrotik.com>,
	"Maciej Z.enczykowski" <zenczykowski@gmail.com>
Subject: Re: [PATCH][RFC]: ingress socket filter by mark
Date: Sun, 18 Oct 2009 19:28:35 +0200	[thread overview]
Message-ID: <4ADB5043.7070707@gmail.com> (raw)
In-Reply-To: <1255869758.4815.40.camel@dogo.mojatatu.com>

jamal a écrit :
> Maciej forced me to dig into this ;->
> 
> at the socket level if a packet arrives with a different mark than
> what we bind to, drop it. I have tested this patch and it drops a packet
> with mismatching mark.
> 
> There are several approaches - and i think the patch suggestion i have
> made here maybe too strict. I assume that if someone binds to a mark,
> they want to not only send packets with that mark but receive
> only if that mark is set. 
> A looser check would be something along the line accept as well if mark
> is not set i.e
> if (sk->sk_mark && skb->mark && sk->sk_mark != skb->mark)
> 
> Alternatively i could add one bit in the socket flags and have it so
> that check is made only if app has been explicit:
> if (sock_flag(sk, SOCK_CHK_SOMARK) && sk->sk_mark != skb->mark) drop
> 
> Another approach  is to set sock filter from app. I dont like this
> approach because it will be the least usable from app level and would be
> the least simple from kernel level.
> 
> cheers,
> jamal
> 

I vote for extending BPF, and not adding the price of a compare
for each packet. Only users wanting mark filtering should pay the price.

next prev parent reply	other threads:[~2009-10-18 17:30 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-18 12:42 [PATCH][RFC]: ingress socket filter by mark jamal
2009-10-18 17:28 ` Eric Dumazet [this message]
2009-10-18 20:28   ` jamal
2009-10-18 23:09     ` Maciej Żenczykowski
2009-10-19 12:12       ` jamal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4ADB5043.7070707@gmail.com \
    --to=eric.dumazet@gmail.com \
    --cc=atis@mikrotik.com \
    --cc=davem@davemloft.net \
    --cc=hadi@cyberus.ca \
    --cc=netdev@vger.kernel.org \
    --cc=zenczykowski@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.