From: Jamal Hadi Salim <jhs@mojatatu.com>
To: Florian Westphal <fw@strlen.de>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, kaber@trash.net
Subject: Re: [PATCH 0/4] Netfilter ingress support (v3)
Date: Mon, 04 May 2015 13:21:32 -0400 [thread overview]
Message-ID: <5547AA9C.3030300@mojatatu.com> (raw)
In-Reply-To: <20150504161956.GK22481@breakpoint.cc>
On 05/04/15 12:19, Florian Westphal wrote:
> Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote:
>> wow, I have to say I'm impressed. That's the most genius way to
>> really kill TC.
>> Patch 1 looks good, patch 2,3,4 are nicely building on top...
>> until somebody starts asking how patch 5 will look.
>> In the future netfilter ingress module will be loaded along with
>> other iptables modules just like conntrack is today and users
>> who would want to use ingress tc would have to _unload_
>> netfilter_ingress module, but if it has interesting dependencies
>> it may mean to unload iptables and the rest.
>
> FWIW while I think this is a valid concern, I believe its unfounded.
>
> netfilter_ingress must not force run-time
> dependencies like 'oh, you want tc, too bad, no conntrack for you)'.
>
> (and i don't see any need for such a dependency).
>
It is an either-or choice. You cant have both. The _evil genius_ part i
think is that distros which ship with iptables rules and conntracking
on are going to not even turn on tc and my scripts now have to go
unload one.
But even if the scripts worked (perhaps there are plans to make sure
all scripts continue to work transparently), i care about performance
and youve suddenly taken that away from me.
So i would agree with adding the two hooks. Priority should be given
to tc in the code path.
cheers,
jamal
next prev parent reply other threads:[~2015-05-04 17:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-04 10:50 [PATCH 0/4] Netfilter ingress support (v3) Pablo Neira Ayuso
2015-05-04 10:50 ` [PATCH 1/4] net: add minimalistic ingress filter hook and port sch_ingress on top of it Pablo Neira Ayuso
2015-05-04 10:50 ` [PATCH 2/4] netfilter: cleanup struct nf_hook_ops indentation Pablo Neira Ayuso
2015-05-04 10:50 ` [PATCH 3/4] netfilter: add hook list to nf_hook_state Pablo Neira Ayuso
2015-05-04 10:50 ` [PATCH 4/4] net: add netfilter ingress hook Pablo Neira Ayuso
2015-05-04 15:56 ` [PATCH 0/4] Netfilter ingress support (v3) Alexei Starovoitov
2015-05-04 16:19 ` Florian Westphal
2015-05-04 17:21 ` Jamal Hadi Salim [this message]
2015-05-04 17:43 ` Florian Westphal
2015-05-04 18:47 ` Jamal Hadi Salim
2015-05-04 18:59 ` Florian Westphal
2015-05-04 20:05 ` Alexei Starovoitov
2015-05-04 22:21 ` Pablo Neira Ayuso
2015-05-04 23:04 ` Thomas Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5547AA9C.3030300@mojatatu.com \
--to=jhs@mojatatu.com \
--cc=alexei.starovoitov@gmail.com \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).