From: Florian Westphal <fw@strlen.de>
To: Eyal Birger <eyal.birger@gmail.com>
Cc: Florian Westphal <fw@strlen.de>,
David Miller <davem@davemloft.net>,
Willem de Bruijn <willemb@google.com>,
Eric Dumazet <edumazet@google.com>,
Shmulik Ladkani <shmulik.ladkani@gmail.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH net-next v4 0/2] net: Introducing socket mark receive socket option
Date: Mon, 2 Mar 2015 19:55:17 +0100 [thread overview]
Message-ID: <20150302185517.GA9762@breakpoint.cc> (raw)
In-Reply-To: <CAHsH6GtDXWwLP4C2ZTfFpbWyLUKh8=nO02Xg_WmD4a+pN-Vf_A@mail.gmail.com>
Eyal Birger <eyal.birger@gmail.com> wrote:
> On Mon, Mar 2, 2015 at 4:36 PM, Florian Westphal <fw@strlen.de> > > wrote:
> The application does not need to know about the match criteria. Only about the
> eventual mark. This decouples the semantics of a flow and it's actual
> match criteria.
>
> > I don't see how that is 'better' than e.g. looking at dst port number.
>
> As mentioned, in cases where the match criteria is more complex than
> just the dst
> port number, the match logic has to be duplicated in the application.
Sure. However, in that case, I fail to see why you'd need to
differentiate at all; normally this would only be needed to e.g. figure
out if your proxy deals with f.e. http or ssl, and dport would be enough
for this.
> > Right, but to me it seems very hacky to use SO_MARK as some kind of OOB signal.
> >
> > It won't work depending on loaded ruleset, it won't work with non-localhost
> > traffic and it won't work when other application runs in another network
> > namespace.
> >
> > Seems such facility would be limited to some pre-configured distribution where
> > users don't run own software and make no changes to the default system
> > setup.
> >
>
> It does not necessarily imply a static configuration, only a carefully
> crafted one.
> There are more than a few systems with this premise.
> >> For example, a user space daemon can receive traffic from multiple
> >> applications using a single socket and distinguish between different traffic groups
> >> according to the packet mark.
> >
> > Right, but it might as well use SO_PEERCRED to identify the other pid, right?
>
> I don't think so.
>
> This would only work on connection/pair based sockets (and currently
> only supported
> in AF_UNIX) - the skb->mark can be different on a per packet basis -
> especially when
> several applications interact with a single daemon.
Fair enough, I still cannot imagine any scenario where doing this
would be a clean design or where this cannot be covered by other means
(in payload, via peercred, using dbus, etc.)
I'd have no problem at all with this if we had some kind of staging
tree for uapi :-}
I'll assume that I'm just not imaginative enough when it comes to use
cases for this facility, it doesn't seem to be too problematic exposing
this, aside from userspace considerations (such as inability to guarantee
that skb->mark will be set up as expected), so i still fail to see how
its useful for isolated applications or even a collection of programs
that want to do ipc.
next prev parent reply other threads:[~2015-03-02 18:55 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-02 13:14 [PATCH net-next v4 0/2] net: Introducing socket mark receive socket option Eyal Birger
2015-03-02 13:14 ` [PATCH net-next v4 1/2] net: Rename sock_recv_ts_and_drops() to sock_cmsg_recv() Eyal Birger
2015-03-02 13:14 ` [PATCH net-next v4 2/2] net: Introducing socket mark receive socket option Eyal Birger
2015-03-02 13:29 ` [PATCH net-next v4 0/2] " Florian Westphal
2015-03-02 13:48 ` Eyal Birger
2015-03-02 14:36 ` Florian Westphal
2015-03-02 18:34 ` Eyal Birger
2015-03-02 18:55 ` Florian Westphal [this message]
2015-03-02 20:05 ` David Miller
2015-03-02 20:38 ` Eyal Birger
2015-03-02 20:57 ` David Miller
2015-03-02 21:11 ` Eyal Birger
2015-03-02 21:45 ` David Miller
2015-03-03 3:45 ` Eyal Birger
2015-03-03 4:01 ` David Miller
2015-03-02 20:01 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150302185517.GA9762@breakpoint.cc \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eyal.birger@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=shmulik.ladkani@gmail.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).