Re: openvswitch/flow WAS ( Re: [rfc] Merging the Open vSwitch datapath

[Simon Horman <horms@verge.net.au>]

On Mon, Oct 18, 2010 at 08:16:57AM -0400, jamal wrote:
> 
> On Sat, 2010-10-16 at 12:33 -0700, Jesse Gross wrote:
> > On Sat, Oct 16, 2010 at 4:35 AM, jamal <hadi@cyberus.ca> wrote:

[ snip ]

> > 2. A mechanism to send/receive packets to/from userspace.  This is an
> > important component that Open vSwitch adds to the pipeline.  This will
> > probably expand in the future to suit different applications, like the
> > security processing that I talked about.
> 
> There are many ways to skin that proverbial cat. I guess it will depend
> on whether you are redirecting or merely copying a whole packet, or part
> of it (while storing a part in the kernel) etc. Example for a scheme
> that works using netlink look at the netfilter examples. You could use
> pf_packet if merely requiring copies. One simple scheme i have used is
> to have the mirred action redirect to a tun device on which a user space
> daemon is listening. If you look at the mirred action - there is an
> option to redirect to a named socket which was never implemented because
> workarounds exist.

As I understand things, the packet goes from the kernel to userspace
and then (typically) comes back again.

I guess that it would be possible to send a copy of the headers
to user-sapce while the packet is quarantined in the kernel pending
a response from user-space. I say only the headers, as typically
that is all user-space needs to make a decision, though I guess it
may need the body to make some types of decisions. I have no idea
if such a scheme would be desirable in any circumstances.