From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: Lorenzo Colitti <lorenzo@google.com>
Cc: David Miller <davem@davemloft.net>,
David Newall <davidn@davidnewall.com>,
netdev@vger.kernel.org, JP Abgrall <jpa@google.com>
Subject: Re: [RFC net-next 0/4] Support UID range routing.
Date: Sun, 11 May 2014 14:45:45 -0700 [thread overview]
Message-ID: <1399844745.13956.116157949.32873A56@webmail.messagingengine.com> (raw)
In-Reply-To: <CAKD1Yr0ZXniXMyZ3WcWFsZ=UD9JJ+Bhv69meRrGuMEiN-_SugA@mail.gmail.com>
On Wed, May 7, 2014, at 3:58, Lorenzo Colitti wrote:
> On Wed, May 7, 2014 at 6:24 PM, Hannes Frederic Sowa
> <hannes@stressinduktion.org> wrote:
> > I question the abstraction of using UIDs for matching routing rules.
> > E.g. freebsd uses setfib[1] to alter the view of the routing table per
> > process. E.g. an interface like ip rule exec (action ACTION)+ PROGRAM
> > would be much nicer in combination with a prctl, maybe? I would much
> > rather enjoy an interface not based on UIDs. Would something like that
> > solve your initial problem?
>
> So you're suggesting something that would still be an ip rule, but
> would match a new identifier ("fibgroup") rather than the uid? I think
> that would work, though obviously it's a much bigger change than what
> I am proposing here.
>
> It would require defining a new identifier, figuring out what its
> semantics are, setting it when socket objects are created, attaching
> it to sockets across accept/fork, etc. Userspace code would have to be
> update it to set it on processes (whereas the uid is already dealt
> with by existing tools), etc.
That was my idea, yes. Having some kind of opaque identifier with
user-friendly names a la /etc/iproute2/rt_tables which can be used in ip
rule matches.
I see, it would require very heavy lifting, but in the end seems to be
more user-friendly to me than uids. But I guess task_struct is something
like sk_buff, where you need to find very good arguments to expand it.
Maybe something like cgroup/net_cls.classid would be possible, but I am
not familar on how to interact with cgroups internally and don't know
how much work that would be (and if more network cgroup interaction is
actually desirable).
> If you're proposing something not that's not an ip rule, then that
> seems like a step backwards, because it won't allow the rich policy
> allowed by processing rules in priority order, throw routes, FRA_GOTO,
> etc.
Agreed.
Bye,
Hannes
next prev parent reply other threads:[~2014-05-11 21:45 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-26 4:48 [RFC net-next 0/4] Support UID range routing Lorenzo Colitti
2014-04-26 4:48 ` [RFC net-next 1/4] net: ipv6: Introduce flowi6_init_output Lorenzo Colitti
2014-04-26 5:56 ` Julian Anastasov
2014-04-27 4:03 ` Lorenzo Colitti
2014-04-28 7:07 ` Julian Anastasov
2014-04-26 4:48 ` [RFC net-next 2/4] net: core: Add a UID range to fib rules Lorenzo Colitti
2014-04-26 4:48 ` [RFC net-next 3/4] net: core: Add the UID to flowi[46]_init_output Lorenzo Colitti
2014-04-26 4:48 ` [RFC net-next 4/4] net: core: Add a RTA_UID attribute to routes Lorenzo Colitti
2014-04-26 13:14 ` [RFC net-next 0/4] Support UID range routing David Newall
2014-04-28 14:38 ` Lorenzo Colitti
[not found] ` <20140428.125807.409036177577836732.davem@davemloft.net>
2014-04-28 19:01 ` Lorenzo Colitti
2014-05-02 19:15 ` Lorenzo Colitti
2014-05-02 19:24 ` David Miller
2014-05-07 3:59 ` Lorenzo Colitti
2014-05-07 9:24 ` Hannes Frederic Sowa
2014-05-07 10:58 ` Lorenzo Colitti
2014-05-11 21:45 ` Hannes Frederic Sowa [this message]
2014-05-12 20:25 ` Lorenzo Colitti
2014-04-30 4:36 ` Lorenzo Colitti
2014-04-30 7:52 ` David Newall
2014-04-30 8:04 ` Lorenzo Colitti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1399844745.13956.116157949.32873A56@webmail.messagingengine.com \
--to=hannes@stressinduktion.org \
--cc=davem@davemloft.net \
--cc=davidn@davidnewall.com \
--cc=jpa@google.com \
--cc=lorenzo@google.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).