Possible to add netfilter hooks to IFB driver?

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Possible to add netfilter hooks to IFB driver?
@ 2013-09-03 21:26 Brad Johnson
  2014-01-06 17:18 ` Alban Crequy
  2014-01-06 21:51 ` Stephen Hemminger
  0 siblings, 2 replies; 6+ messages in thread
From: Brad Johnson @ 2013-09-03 21:26 UTC (permalink / raw)
  To: netdev

I would like to add netfilter hooks to the IFB driver so I can do 
iptables -j IFB (just like we can with IMQ). But I would like to know 
first if there are any reasons this can not work. Please advise if this 
is possible, and if so any tips would be appreciated.

Cheers,
Brad

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Possible to add netfilter hooks to IFB driver?
  2013-09-03 21:26 Possible to add netfilter hooks to IFB driver? Brad Johnson
@ 2014-01-06 17:18 ` Alban Crequy
  2014-01-06 21:51 ` Stephen Hemminger
  1 sibling, 0 replies; 6+ messages in thread
From: Alban Crequy @ 2014-01-06 17:18 UTC (permalink / raw)
  To: Brad Johnson; +Cc: netdev

On Tue, 03 Sep 2013 16:26:09 -0500
Brad Johnson <bjohnson@ecessa.com> wrote:

> I would like to add netfilter hooks to the IFB driver so I can do 
> iptables -j IFB (just like we can with IMQ). But I would like to know 
> first if there are any reasons this can not work. Please advise if
> this is possible, and if so any tips would be appreciated.

I would like to have the same feature for ingress shaping via
connection marking. But this page says "wont go back to putting
netfilter hooks" but have a "contrack related action":
http://www.linuxfoundation.org/collaborate/workgroups/networking/ifb
http://thread.gmane.org/gmane.linux.network/21224

I don't know if someone made a patch for either implementation.

Best regards,
Alban

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Possible to add netfilter hooks to IFB driver?
  2013-09-03 21:26 Possible to add netfilter hooks to IFB driver? Brad Johnson
  2014-01-06 17:18 ` Alban Crequy
@ 2014-01-06 21:51 ` Stephen Hemminger
  2014-01-06 22:51   ` Andrew Collins
  1 sibling, 1 reply; 6+ messages in thread
From: Stephen Hemminger @ 2014-01-06 21:51 UTC (permalink / raw)
  To: Brad Johnson; +Cc: netdev

On Tue, 03 Sep 2013 16:26:09 -0500
Brad Johnson <bjohnson@ecessa.com> wrote:

> I would like to add netfilter hooks to the IFB driver so I can do 
> iptables -j IFB (just like we can with IMQ). But I would like to know 
> first if there are any reasons this can not work. Please advise if this 
> is possible, and if so any tips would be appreciated.
> 
> Cheers,
> Brad

The risk is creating the same races that made IMQ unacceptable.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Possible to add netfilter hooks to IFB driver?
  2014-01-06 21:51 ` Stephen Hemminger
@ 2014-01-06 22:51   ` Andrew Collins
  2014-01-07 11:18     ` Alban Crequy
  0 siblings, 1 reply; 6+ messages in thread
From: Andrew Collins @ 2014-01-06 22:51 UTC (permalink / raw)
  To: Stephen Hemminger; +Cc: Brad Johnson, netdev@vger.kernel.org

On Mon, Jan 6, 2014 at 2:51 PM, Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> The risk is creating the same races that made IMQ unacceptable.
> --

I believe openwrt nowadays uses a TC action which runs the packet
through prerouting then pulls in the mark off the ct entry into the
skb, so ingress+IFB can take action on it.

Perhaps a cleaned up version of this would be suitable for upstream?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Possible to add netfilter hooks to IFB driver?
  2014-01-06 22:51   ` Andrew Collins
@ 2014-01-07 11:18     ` Alban Crequy
  2014-01-08 12:28       ` Jamal Hadi Salim
  0 siblings, 1 reply; 6+ messages in thread
From: Alban Crequy @ 2014-01-07 11:18 UTC (permalink / raw)
  To: Andrew Collins; +Cc: Stephen Hemminger, Brad Johnson, netdev@vger.kernel.org

On Mon, 6 Jan 2014 15:51:37 -0700
Andrew Collins <bsderandrew@gmail.com> wrote:

> On Mon, Jan 6, 2014 at 2:51 PM, Stephen Hemminger
> <stephen@networkplumber.org> wrote:
> >
> > The risk is creating the same races that made IMQ unacceptable.
> > --
> 
> I believe openwrt nowadays uses a TC action which runs the packet
> through prerouting then pulls in the mark off the ct entry into the
> skb, so ingress+IFB can take action on it.

Thanks for the info. I guess the implementation is this one:

https://dev.openwrt.org/browser/trunk/target/linux/generic/patches-3.12/621-sched_act_connmark.patch
https://dev.openwrt.org/browser/trunk/package/network/utils/iproute2/patches/210-add-act_connmark.patch
https://dev.openwrt.org/browser/trunk/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh#L343

> Perhaps a cleaned up version of this would be suitable for upstream?

I don't know but this seems a useful feature to me.

Best regards,
Alban

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Possible to add netfilter hooks to IFB driver?
  2014-01-07 11:18     ` Alban Crequy
@ 2014-01-08 12:28       ` Jamal Hadi Salim
  0 siblings, 0 replies; 6+ messages in thread
From: Jamal Hadi Salim @ 2014-01-08 12:28 UTC (permalink / raw)
  To: Alban Crequy, Andrew Collins
  Cc: Stephen Hemminger, Brad Johnson, netdev@vger.kernel.org

On 01/07/14 06:18, Alban Crequy wrote:
> On Mon, 6 Jan 2014 15:51:37 -0700
> Andrew Collins <bsderandrew@gmail.com> wrote:
>
>> On Mon, Jan 6, 2014 at 2:51 PM, Stephen Hemminger
>> <stephen@networkplumber.org> wrote:
>>>
>>> The risk is creating the same races that made IMQ unacceptable.
>>> --
>>
>> I believe openwrt nowadays uses a TC action which runs the packet
>> through prerouting then pulls in the mark off the ct entry into the
>> skb, so ingress+IFB can take action on it.
>
> Thanks for the info. I guess the implementation is this one:
>
> https://dev.openwrt.org/browser/trunk/target/linux/generic/patches-3.12/621-sched_act_connmark.patch
> https://dev.openwrt.org/browser/trunk/package/network/utils/iproute2/patches/210-add-act_connmark.patch
> https://dev.openwrt.org/browser/trunk/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh#L343
>
>> Perhaps a cleaned up version of this would be suitable for upstream?
>
> I don't know but this seems a useful feature to me.
>

I like that approach - discussion was had here on netdev
about a year ago refer to:
http://marc.info/?t=135591832200007&r=1&w=2
since it is a long thread, jump to here:
http://marc.info/?l=linux-netdev&m=135634890120552&w=2

I believe Pablo brought it up at the last netfilter meeting
and there was no disagreement to get it going.
I dont know if kids still use these expressions - but send him
some virtual beer and he may return the love.


cheers,
jamal

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-01-08 12:28 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-03 21:26 Possible to add netfilter hooks to IFB driver? Brad Johnson
2014-01-06 17:18 ` Alban Crequy
2014-01-06 21:51 ` Stephen Hemminger
2014-01-06 22:51   ` Andrew Collins
2014-01-07 11:18     ` Alban Crequy
2014-01-08 12:28       ` Jamal Hadi Salim

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).