From: Patrick McHardy <kaber@trash.net>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, jhs@mojatatu.com
Subject: Re: [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks
Date: Thu, 30 Apr 2015 03:43:16 +0200 [thread overview]
Message-ID: <20150430014316.GB7956@acer.localdomain> (raw)
In-Reply-To: <55417F80.4000506@iogearbox.net>
On 30.04, Daniel Borkmann wrote:
> On 04/30/2015 02:37 AM, Patrick McHardy wrote:
> >On 30.04, Pablo Neira Ayuso wrote:
> >>On the bugfix front, the illegal mangling of shared skb from actions
> >>like stateless nat and bpf look also important to be addressed to me.
> >>David already suggested to propagate some state object that keeps a
> >>pointer to the skb that is passed to the action. Thus, the action can
> >>clone it and get the skb back to the ingress path. I started a
> >>patchset to do so here, it's a bit large since it requires quite a lot
> >>of function signature adjustment.
> >
> >Jumping in on this point - the fact that roughly 2/3 of TC actions will
> >simply BUG under not unlikely circumstances when used in ingress (I went
> >through them one by one with Pablo a week ago) is also telling. Nobody
> >seems to be using that. All packet mangling actions will BUG while any
> >tap is active. Its nothing easily fixed, but apparently nobody has cared
> >in ten years. ipt is trivial to crash differently, connmark is as well.
> >
> >So I'm wondering what are we actually arguing about here. Whether we are
> >affecting the performance how fast TC will crash? We *do* actually care
> >about these thing, in TC apparently nobody has for the past ten years.
>
> Totally agree with you that the situation is quite a mess. From tc ingress/
> egress side, at least my use case is to have an as minimal as possible entry
> point for cls_bpf/act_bpf, which is what we were working on recently. That
> is rather ``fresh'' compared to the remaining history of cls/act in tc.
It's more than a mess. Leaving aside the fully broken code at ingress,
just look at the TC action APIs. Its "a failed state". TC is as well, but
on egress only on the userspace side - Thomas's presentation 'TC - -EWTF'
IIRC put it quite well. Our long term goal is to fix both, but ingress is
actually simply, for any realistic case (though my experience is limited),
meaning you have more than a single classifier, some structure in your rules
and more than a single CPU, we'll do better right now.
But Alexey's point is well taken. If we can't manange to add our hooks
without impacting existing use cases, we'll try better until we can.
The single hook case seems to be possible to optimize at the benefit of
all the layers quite easily, and for people using both, we'll try to
compete on a different level.
next prev parent reply other threads:[~2015-04-30 1:43 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-29 18:53 [PATCH 0/6 RFC] Netfilter ingress support (v2) Pablo Neira Ayuso
2015-04-29 18:53 ` [PATCH 1/6] netfilter: cleanup struct nf_hook_ops indentation Pablo Neira Ayuso
2015-04-29 18:53 ` [PATCH 2/6] netfilter: add hook list to nf_hook_state Pablo Neira Ayuso
2015-04-29 18:53 ` [PATCH 3/6] netfilter: add nf_hook_list_active() Pablo Neira Ayuso
2015-04-29 18:53 ` [PATCH 4/6] netfilter: move generic hook infrastructure into net/core/hooks.c Pablo Neira Ayuso
2015-04-29 23:59 ` Patrick McHardy
2015-04-29 18:53 ` [PATCH 5/6] net: add netfilter ingress hook Pablo Neira Ayuso
2015-04-29 18:53 ` [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks Pablo Neira Ayuso
2015-04-29 20:27 ` Daniel Borkmann
2015-04-29 23:32 ` Pablo Neira Ayuso
2015-04-30 0:10 ` Daniel Borkmann
2015-04-30 0:20 ` Daniel Borkmann
2015-04-30 0:30 ` Patrick McHardy
2015-04-30 0:41 ` Daniel Borkmann
2015-04-30 0:48 ` Patrick McHardy
2015-04-30 1:16 ` Alexei Starovoitov
2015-04-30 1:34 ` Patrick McHardy
2015-04-30 2:22 ` Jamal Hadi Salim
2015-04-30 3:11 ` Patrick McHardy
2015-04-30 11:55 ` Jamal Hadi Salim
2015-04-30 15:33 ` Pablo Neira Ayuso
2015-04-30 16:09 ` Daniel Borkmann
2015-04-30 16:36 ` Pablo Neira Ayuso
2015-04-30 19:16 ` Daniel Borkmann
2015-04-30 23:01 ` Daniel Borkmann
2015-05-01 1:15 ` Jamal Hadi Salim
2015-04-30 10:12 ` Pablo Neira Ayuso
2015-04-30 19:05 ` Alexei Starovoitov
2015-04-30 0:37 ` Patrick McHardy
2015-04-30 1:04 ` Daniel Borkmann
2015-04-30 1:43 ` Patrick McHardy [this message]
2015-04-30 2:35 ` Jamal Hadi Salim
2015-04-30 3:29 ` Patrick McHardy
2015-04-30 4:05 ` Patrick McHardy
2015-04-30 6:02 ` Alexei Starovoitov
2015-04-30 9:24 ` Daniel Borkmann
2015-04-30 10:28 ` Pablo Neira Ayuso
2015-04-29 23:36 ` Patrick McHardy
2015-04-30 0:00 ` Daniel Borkmann
2015-04-30 0:15 ` Patrick McHardy
2015-04-29 21:53 ` Cong Wang
2015-04-29 23:37 ` Patrick McHardy
2015-04-29 23:42 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150430014316.GB7956@acer.localdomain \
--to=kaber@trash.net \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jhs@mojatatu.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox