Re: [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks

On Thu, Apr 30, 2015 at 06:05:37AM +0200, Patrick McHardy wrote: > 06:05:37AM do you ever sleep? ;) > For the sake of completeness - on ingress, this alternativ means simply > ditching TC. I'm sure 'ditching TC' doesn't mean to kill ingress qdisc completely. Compatibility needs to be preserved

Re: [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks

On 30.04, Daniel Borkmann wrote: > On 04/30/2015 02:37 AM, Patrick McHardy wrote: > >On 30.04, Pablo Neira Ayuso wrote: > >>On the bugfix front, the illegal mangling of shared skb from actions > >>like stateless nat and bpf look also important to be addressed to me. > >>David already suggested to p

Re: [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks

On 30.04, Daniel Borkmann wrote: > > > >I can also see there were also intentions to support userspace > >queueing at some point since TC_ACT_QUEUED has been there since the > >beginning. That should be possible at some point using this > >infrastructure (once there are no further concerns on the

Re: [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks

On 04/30/2015 01:32 AM, Pablo Neira Ayuso wrote: ... Actually, the extra cost is roughly (getting inlined stuff away and other non-relevant stuff): `-> nf_hook_slow() `-> [for each entry in hook list] `-> nf_iterate() `-> (*elemp)->hook() Yep, agreed. as part of the

Re: [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks

On 29.04, Cong Wang wrote: > On Wed, Apr 29, 2015 at 11:53 AM, Pablo Neira Ayuso > wrote: > > diff --git a/net/sched/Kconfig b/net/sched/Kconfig > > index 2274e72..23b57da 100644 > > --- a/net/sched/Kconfig > > +++ b/net/sched/Kconfig > > @@ -312,6 +312,7 @@ config NET_SCH_PIE > > config NET_SCH

Re: [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks

On Wed, Apr 29, 2015 at 10:27:05PM +0200, Daniel Borkmann wrote: > On 04/29/2015 08:53 PM, Pablo Neira Ayuso wrote: > >Port qdisc ingress on top of the Netfilter ingress allows us to detach the > >qdisc ingress filtering code from the core, so now it resides where it really > >belongs. > > Hm, but

Re: [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks

On Wed, Apr 29, 2015 at 11:53 AM, Pablo Neira Ayuso wrote: > diff --git a/net/sched/Kconfig b/net/sched/Kconfig > index 2274e72..23b57da 100644 > --- a/net/sched/Kconfig > +++ b/net/sched/Kconfig > @@ -312,6 +312,7 @@ config NET_SCH_PIE > config NET_SCH_INGRESS > tristate "Ingress Qdisc"

[PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks

Port qdisc ingress on top of the Netfilter ingress allows us to detach the qdisc ingress filtering code from the core, so now it resides where it really belongs. The specific qdisc ingress static key is also gone since we now rely on the generic netfilter hook static key infrastructure. This only