From: Daniel Borkmann <daniel@iogearbox.net>
To: Tejun Heo <tj@kernel.org>,
davem@davemloft.net, pablo@netfilter.org, kaber@trash.net,
kadlec@blackhole.kfki.hu, lizefan@huawei.com, hannes@cmpxchg.org
Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, cgroups@vger.kernel.org,
linux-kernel@vger.kernel.org, kernel-team@fb.com,
daniel.wagner@bmw-carit.de, nhorman@tuxdriver.com
Subject: Re: [PATCH 4/5] sock, cgroup: add sock->sk_cgroup
Date: Tue, 17 Nov 2015 22:46:30 +0100 [thread overview]
Message-ID: <564BA036.4000602@iogearbox.net> (raw)
In-Reply-To: <1447789240-29394-5-git-send-email-tj@kernel.org>
Hi Tejun,
On 11/17/2015 08:40 PM, Tejun Heo wrote:
...
> While it is possible to solve these issues from controller side by
> implementing hierarchical allowable ranges in both controllers, it
> would involve quite a bit of complexity in the controllers and further
> obfuscate network configuration as it becomes even more difficult to
> tell what's actually being configured looking from the network side.
> While not much can be done for v1 at this point, as membership
> handling is sane on cgroup v2, it'd be better to make cgroup matching
> behave like other network matches and classifiers than introducing
> further complications.
>
> In preparation, this patch adds sock->sk_cgroup which points to the
> associated cgroup. A sock is associated on creation and stays
> associated to the same cgroup until freed; unfortunately, this ends up
> adding another cgroup field to struct sock on top of sk_cgrp_prioidx
> and sk_classid. I tried to think of a way to somehow overload the
> existing fields but couldn't come up with a reasonable one. For the
> longer term, the fields can be rearranged so that disabling prio and
> cls controllers reduce the size of the struct.
Do you see a way forward where the new behavior could be enabled f.e.
as an extra mount option (that long-term would be made default, while
deprecating the current behavior) on net_cls et al? There are various
more users at least on the net_cls side (nft and tc as well). Would be
really great, if sk_cgroup could abstract that somehow away for all of
them w/o adding a second version to all users.
Best,
Daniel
next prev parent reply other threads:[~2015-11-17 21:46 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-17 19:40 [PATCHSET] netfilter, cgroup: implement xt_cgroup2 match Tejun Heo
2015-11-17 19:40 ` [PATCH 1/5] cgroup: record ancestor IDs and reimplement cgroup_is_descendant() using it Tejun Heo
2015-11-17 22:54 ` Jan Engelhardt
2015-11-17 23:03 ` Tejun Heo
2015-11-17 19:40 ` [PATCH 2/5] kernfs: implement kernfs_walk_and_get() Tejun Heo
2015-11-17 21:20 ` David Miller
2015-11-17 21:22 ` Tejun Heo
[not found] ` <20151117.162040.1412296298973879057.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2015-11-17 22:48 ` Jan Engelhardt
2015-11-17 22:48 ` Jan Engelhardt
[not found] ` <1447789240-29394-1-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2015-11-17 19:40 ` [PATCH 3/5] cgroup: implement cgroup_get_from_path() and expose cgroup_put() Tejun Heo
2015-11-17 19:40 ` Tejun Heo
2015-11-17 19:40 ` [PATCH 4/5] sock, cgroup: add sock->sk_cgroup Tejun Heo
[not found] ` <1447789240-29394-5-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2015-11-17 21:25 ` David Miller
2015-11-17 21:25 ` David Miller
[not found] ` <20151117.162554.314531574043190960.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2015-11-17 21:31 ` Tejun Heo
2015-11-17 21:31 ` Tejun Heo
[not found] ` <20151117213126.GH22864-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-11-17 21:46 ` David Miller
2015-11-17 21:46 ` David Miller
2015-11-17 21:48 ` Daniel Borkmann
2015-11-17 21:48 ` Daniel Borkmann
2015-11-17 22:17 ` Tejun Heo
2015-11-17 21:46 ` Daniel Borkmann [this message]
[not found] ` <564BA036.4000602-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2015-11-17 22:21 ` Tejun Heo
2015-11-17 22:21 ` Tejun Heo
2015-11-17 19:40 ` [PATCH 5/5] netfilter: implement xt_cgroup2 match Tejun Heo
[not found] ` <1447789240-29394-6-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2015-11-17 22:56 ` Jan Engelhardt
2015-11-17 22:56 ` Jan Engelhardt
2015-11-17 22:56 ` Jan Engelhardt
2015-11-17 19:42 ` [PATCH iptables] libxt_cgroup2: add support for cgroup2 path matching Tejun Heo
2015-11-17 23:02 ` Jan Engelhardt
[not found] ` <alpine.LSU.2.20.1511172356570.13966-Og55a6x16tXH9RFtKMg/Ng@public.gmane.org>
2015-11-17 23:09 ` Tejun Heo
2015-11-17 23:09 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=564BA036.4000602@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=cgroups@vger.kernel.org \
--cc=coreteam@netfilter.org \
--cc=daniel.wagner@bmw-carit.de \
--cc=davem@davemloft.net \
--cc=hannes@cmpxchg.org \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=kernel-team@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pablo@netfilter.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.