Re: cgroup filter on physics interface can't control container
From: Libo Chen <hidden>
Date: 2013-12-12 12:20:07
Also in:
cgroups, lkml
ping... On 2013/12/9 10:32, Libo Chen wrote:
hello network hackers,
A linux container was builded with veth pair(veth0 inside container, veth1 outside container),
the config as below:
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0 // base on eth0
lxc.network.name = eth0
lxc.network.ipv4 = 128.5.130.26/24
then I use tc command with cgroup filter on veth0, it works well. But when setting on eth0, it doesn`t work.
The reason is dev_forward_skb() in veth_xmit will call skb_scrub_packet and clean all information including skb->sk
in the skb, so if cls_cgroup_classify is working in serving softirq state, it will return failer, see below:
if (in_serving_softirq()) {
/* If there is an sk_classid we'll use that. */
if (!skb->sk)
return -1;
classid = skb->sk->sk_classid;
}
Qdisc with cgroup filter on physics interface can not control a container network, it is disappointed.
we can save sk_classid before skb_scrub_packet and restore it after that. Is it reasonable? or any way to achieve this?
thanks,
Libo