From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, jhs@mojatatu.com
Subject: Re: [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks
Date: Thu, 30 Apr 2015 02:37:41 +0200 [thread overview]
Message-ID: <20150430003740.GF7025@acer.localdomain> (raw)
In-Reply-To: <20150429233205.GA3416@salvia>
On 30.04, Pablo Neira Ayuso wrote:
> On the bugfix front, the illegal mangling of shared skb from actions
> like stateless nat and bpf look also important to be addressed to me.
> David already suggested to propagate some state object that keeps a
> pointer to the skb that is passed to the action. Thus, the action can
> clone it and get the skb back to the ingress path. I started a
> patchset to do so here, it's a bit large since it requires quite a lot
> of function signature adjustment.
Jumping in on this point - the fact that roughly 2/3 of TC actions will
simply BUG under not unlikely circumstances when used in ingress (I went
through them one by one with Pablo a week ago) is also telling. Nobody
seems to be using that. All packet mangling actions will BUG while any
tap is active. Its nothing easily fixed, but apparently nobody has cared
in ten years. ipt is trivial to crash differently, connmark is as well.
So I'm wondering what are we actually arguing about here. Whether we are
affecting the performance how fast TC will crash? We *do* actually care
about these thing, in TC apparently nobody has for the past ten years.
next prev parent reply other threads:[~2015-04-30 0:37 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-29 18:53 [PATCH 0/6 RFC] Netfilter ingress support (v2) Pablo Neira Ayuso
2015-04-29 18:53 ` [PATCH 1/6] netfilter: cleanup struct nf_hook_ops indentation Pablo Neira Ayuso
2015-04-29 18:53 ` [PATCH 2/6] netfilter: add hook list to nf_hook_state Pablo Neira Ayuso
2015-04-29 18:53 ` [PATCH 3/6] netfilter: add nf_hook_list_active() Pablo Neira Ayuso
2015-04-29 18:53 ` [PATCH 4/6] netfilter: move generic hook infrastructure into net/core/hooks.c Pablo Neira Ayuso
2015-04-29 23:59 ` Patrick McHardy
2015-04-29 18:53 ` [PATCH 5/6] net: add netfilter ingress hook Pablo Neira Ayuso
2015-04-29 18:53 ` [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks Pablo Neira Ayuso
2015-04-29 20:27 ` Daniel Borkmann
2015-04-29 23:32 ` Pablo Neira Ayuso
2015-04-30 0:10 ` Daniel Borkmann
2015-04-30 0:20 ` Daniel Borkmann
2015-04-30 0:30 ` Patrick McHardy
2015-04-30 0:41 ` Daniel Borkmann
2015-04-30 0:48 ` Patrick McHardy
2015-04-30 1:16 ` Alexei Starovoitov
2015-04-30 1:34 ` Patrick McHardy
2015-04-30 2:22 ` Jamal Hadi Salim
2015-04-30 3:11 ` Patrick McHardy
2015-04-30 11:55 ` Jamal Hadi Salim
2015-04-30 15:33 ` Pablo Neira Ayuso
2015-04-30 16:09 ` Daniel Borkmann
2015-04-30 16:36 ` Pablo Neira Ayuso
2015-04-30 19:16 ` Daniel Borkmann
2015-04-30 23:01 ` Daniel Borkmann
2015-05-01 1:15 ` Jamal Hadi Salim
2015-04-30 10:12 ` Pablo Neira Ayuso
2015-04-30 19:05 ` Alexei Starovoitov
2015-04-30 0:37 ` Patrick McHardy [this message]
2015-04-30 1:04 ` Daniel Borkmann
2015-04-30 1:43 ` Patrick McHardy
2015-04-30 2:35 ` Jamal Hadi Salim
2015-04-30 3:29 ` Patrick McHardy
2015-04-30 4:05 ` Patrick McHardy
2015-04-30 6:02 ` Alexei Starovoitov
2015-04-30 9:24 ` Daniel Borkmann
2015-04-30 10:28 ` Pablo Neira Ayuso
2015-04-29 23:36 ` Patrick McHardy
2015-04-30 0:00 ` Daniel Borkmann
2015-04-30 0:15 ` Patrick McHardy
2015-04-29 21:53 ` Cong Wang
2015-04-29 23:37 ` Patrick McHardy
2015-04-29 23:42 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150430003740.GF7025@acer.localdomain \
--to=kaber@trash.net \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jhs@mojatatu.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox