From: Sargun Dhillon <sargun@sargun.me>
To: Daniel Mack <daniel@zonque.org>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Thomas Graf <tgraf@suug.ch>,
htejun@fb.com, daniel@iogearbox.net, ast@fb.com,
davem@davemloft.net, kafai@fb.com, fw@strlen.de,
harald@redhat.com, netdev@vger.kernel.org
Subject: Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups
Date: Tue, 23 Aug 2016 02:54:09 -0700 [thread overview]
Message-ID: <20160823095347.GA3070@ircssh.c.rugged-nimbus-611.internal> (raw)
In-Reply-To: <721182c4-7285-c169-d088-c45c81a5219e@zonque.org>
On Tue, Aug 23, 2016 at 10:27:28AM +0200, Daniel Mack wrote:
> On 08/22/2016 07:20 PM, Sargun Dhillon wrote:
> > On Mon, Aug 22, 2016 at 06:22:20PM +0200, Daniel Mack wrote:
> >> On 08/22/2016 06:06 PM, Pablo Neira Ayuso wrote:
>
> >>> This patchset also needs an extra egress hook, not yet known where to
> >>> be placed, so two hooks in the network stacks in the end,
> >>
> >> That should be solvable, I'm sure. I can as well leave egress out for
> >> the next version so it can be added later on.
> >>
> > Any idea where you might put that yet? Does dev_xmit seems like a reasonable
> > place?
>
> Ah, yes. Thanks for the pointer, that seems to work fine.
>
Daniel pointed out to me that there's already a BPF program that's used there
for tc matches. So, it should work fine. I would just verify you can call
programs from IRQs, and rcu_bh plays well with it.
Alternatively, if you want to filter only IP traffic, ip_output, and ip6_output
are fairly good places. I'm planning on putting some LSM hooks there soon. It's
a bit simpler.
I also suggest you use verdicts rather than trimming for simplicity sake.
> > If someone uses the netprio, or the net classid controllers, skcd matches
> > no longer work.
>
> Yes, sock_cgroup_ptr() will fall back to the v2 root in this case.
>
> > Ideally, we should fix up these controllers to make them
> > more v2 friendly.
>
> These controllers do not exist for v2, that's why sock_cgroup_ptr()
> behaves that way. What's your idea to fix that up?
I think that we should just add another pointer to the end of sock_cgroup_data
while we're in this state of transition, and nudge people to disable
CONFIG_CGROUP_NET_PRIO and CONFIG_CGROUP_NET_CLASSID over time.
Alternatively, we add these controllers for v2, and we have some kind of marker
whether or not they're on v2 in the skcd. If they are, we can find the cgroup,
and get the prioidx, and classid from the css. Although the comment in
cgroup-defs.h suggests that v2 and classid should never be used concurrently, I
can't help but to disagree, given there's legacy infrastructure that leverages
classid.
>
>
> Thanks,
> Daniel
>
Looking forward to seeing these patches,
-Sargun
next prev parent reply other threads:[~2016-08-23 9:54 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-17 14:00 [RFC PATCH 0/5] Add eBPF hooks for cgroups Daniel Mack
2016-08-17 14:00 ` [RFC PATCH 1/5] bpf: add new prog type for cgroup socket filtering Daniel Mack
2016-08-17 14:00 ` [RFC PATCH 2/5] cgroup: add bpf_{e,in}gress pointers Daniel Mack
2016-08-17 14:10 ` Tejun Heo
2016-08-17 17:50 ` Alexei Starovoitov
2016-08-17 17:56 ` Tejun Heo
2016-08-17 14:00 ` [RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands Daniel Mack
2016-08-17 14:20 ` Tejun Heo
2016-08-17 14:35 ` Daniel Mack
2016-08-17 15:06 ` Tejun Heo
2016-08-17 15:51 ` Daniel Mack
2016-08-17 17:48 ` Alexei Starovoitov
2016-08-17 15:08 ` Tejun Heo
2016-08-17 16:16 ` Eric Dumazet
2016-08-17 18:10 ` Alexei Starovoitov
2016-08-18 15:17 ` Daniel Mack
2016-08-17 14:00 ` [RFC PATCH 4/5] net: filter: run cgroup eBPF programs Daniel Mack
2016-08-17 14:23 ` Tejun Heo
2016-08-17 14:36 ` Daniel Mack
2016-08-17 14:58 ` Tejun Heo
2016-08-17 18:20 ` Alexei Starovoitov
2016-08-17 18:23 ` Alexei Starovoitov
2016-08-21 20:14 ` Sargun Dhillon
2016-08-25 19:37 ` Tejun Heo
2016-08-17 14:00 ` [RFC PATCH 5/5] samples: bpf: add userspace example for attaching eBPF programs to cgroups Daniel Mack
2016-08-19 9:19 ` [RFC PATCH 0/5] Add eBPF hooks for cgroups Pablo Neira Ayuso
2016-08-19 10:35 ` Daniel Mack
2016-08-19 11:20 ` Daniel Borkmann
2016-08-19 16:31 ` Pablo Neira Ayuso
2016-08-19 16:37 ` Thomas Graf
2016-08-19 16:21 ` Pablo Neira Ayuso
2016-08-19 17:07 ` Thomas Graf
2016-08-22 16:06 ` Pablo Neira Ayuso
2016-08-22 16:22 ` Daniel Mack
2016-08-22 17:20 ` Sargun Dhillon
2016-08-23 8:27 ` Daniel Mack
2016-08-23 9:54 ` Sargun Dhillon [this message]
2016-08-23 10:03 ` Daniel Mack
2016-08-19 16:01 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160823095347.GA3070@ircssh.c.rugged-nimbus-611.internal \
--to=sargun@sargun.me \
--cc=ast@fb.com \
--cc=daniel@iogearbox.net \
--cc=daniel@zonque.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=harald@redhat.com \
--cc=htejun@fb.com \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).