Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups

[RFC PATCH 0/5] Add eBPF hooks for cgroups · Daniel Mack <daniel@zonque.org> · 2016-08-17
[RFC PATCH 2/5] cgroup: add bpf_{e,in}gress pointers · Daniel Mack <daniel@zonque.org> · 2016-08-17
Re: [RFC PATCH 2/5] cgroup: add bpf_{e,in}gress pointers · Tejun Heo <hidden> · 2016-08-17
Re: [RFC PATCH 2/5] cgroup: add bpf_{e,in}gress pointers · Alexei Starovoitov <hidden> · 2016-08-17
Re: [RFC PATCH 2/5] cgroup: add bpf_{e,in}gress pointers · Tejun Heo <hidden> · 2016-08-17
[RFC PATCH 4/5] net: filter: run cgroup eBPF programs · Daniel Mack <daniel@zonque.org> · 2016-08-17
Re: [RFC PATCH 4/5] net: filter: run cgroup eBPF programs · Tejun Heo <hidden> · 2016-08-17
Re: [RFC PATCH 4/5] net: filter: run cgroup eBPF programs · Daniel Mack <daniel@zonque.org> · 2016-08-17
Re: [RFC PATCH 4/5] net: filter: run cgroup eBPF programs · Tejun Heo <hidden> · 2016-08-17
Re: [RFC PATCH 4/5] net: filter: run cgroup eBPF programs · Alexei Starovoitov <hidden> · 2016-08-17
Re: [RFC PATCH 4/5] net: filter: run cgroup eBPF programs · Alexei Starovoitov <hidden> · 2016-08-17
Re: [RFC PATCH 4/5] net: filter: run cgroup eBPF programs · Sargun Dhillon <hidden> · 2016-08-21
Re: [RFC PATCH 4/5] net: filter: run cgroup eBPF programs · Tejun Heo <hidden> · 2016-08-25
[RFC PATCH 1/5] bpf: add new prog type for cgroup socket filtering · Daniel Mack <daniel@zonque.org> · 2016-08-17
[RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands · Daniel Mack <daniel@zonque.org> · 2016-08-17
Re: [RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands · Tejun Heo <hidden> · 2016-08-17
Re: [RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands · Daniel Mack <daniel@zonque.org> · 2016-08-17
Re: [RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands · Tejun Heo <hidden> · 2016-08-17
Re: [RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands · Daniel Mack <daniel@zonque.org> · 2016-08-17
Re: [RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands · Alexei Starovoitov <hidden> · 2016-08-17
Re: [RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands · Tejun Heo <hidden> · 2016-08-17
Re: [RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands · Eric Dumazet <hidden> · 2016-08-17
Re: [RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands · Alexei Starovoitov <hidden> · 2016-08-17
Re: [RFC PATCH 3/5] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands · Daniel Mack <daniel@zonque.org> · 2016-08-19
[RFC PATCH 5/5] samples: bpf: add userspace example for attaching eBPF programs to cgroups · Daniel Mack <daniel@zonque.org> · 2016-08-17
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Pablo Neira Ayuso <pablo@netfilter.org> · 2016-08-19
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Daniel Mack <daniel@zonque.org> · 2016-08-19
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Daniel Borkmann <daniel@iogearbox.net> · 2016-08-19
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Pablo Neira Ayuso <pablo@netfilter.org> · 2016-08-19
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Thomas Graf <tgraf@suug.ch> · 2016-08-19
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Pablo Neira Ayuso <pablo@netfilter.org> · 2016-08-19
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Thomas Graf <tgraf@suug.ch> · 2016-08-19
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Pablo Neira Ayuso <pablo@netfilter.org> · 2016-08-22
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Daniel Mack <daniel@zonque.org> · 2016-08-22
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Sargun Dhillon <hidden> · 2016-08-22
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Daniel Mack <daniel@zonque.org> · 2016-08-23
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Sargun Dhillon <hidden> · 2016-08-23
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Daniel Mack <daniel@zonque.org> · 2016-08-23
Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups · Alexei Starovoitov <hidden> · 2016-08-19

From: Sargun Dhillon <hidden>
Date: 2016-08-23 09:54:12

On Tue, Aug 23, 2016 at 10:27:28AM +0200, Daniel Mack wrote:

On 08/22/2016 07:20 PM, Sargun Dhillon wrote:

quoted

On Mon, Aug 22, 2016 at 06:22:20PM +0200, Daniel Mack wrote:

quoted

On 08/22/2016 06:06 PM, Pablo Neira Ayuso wrote:

quoted

This patchset also needs an extra egress hook, not yet known where to
be placed, so two hooks in the network stacks in the end,

That should be solvable, I'm sure. I can as well leave egress out for
the next version so it can be added later on.

Any idea where you might put that yet? Does dev_xmit seems like a reasonable 
place?

Ah, yes. Thanks for the pointer, that seems to work fine.

Daniel pointed out to me that there's already a BPF program that's used there 
for tc matches. So, it should work fine. I would just verify you can call 
programs from IRQs, and rcu_bh plays well with it.

Alternatively, if you want to filter only IP traffic, ip_output, and ip6_output 
are fairly good places. I'm planning on putting some LSM hooks there soon. It's 
a bit simpler.

I also suggest you use verdicts rather than trimming for simplicity sake.

quoted

If someone uses the netprio, or the net classid controllers, skcd matches
no longer work.

Yes, sock_cgroup_ptr() will fall back to the v2 root in this case.

quoted

Ideally, we should fix up these controllers to make them
more v2 friendly.

These controllers do not exist for v2, that's why sock_cgroup_ptr()
behaves that way. What's your idea to fix that up?

I think that we should just add another pointer to the end of sock_cgroup_data 
while we're in this state of transition, and nudge people to disable 
CONFIG_CGROUP_NET_PRIO and CONFIG_CGROUP_NET_CLASSID over time.

Alternatively, we add these controllers for v2, and we have some kind of marker 
whether or not they're on v2 in the skcd. If they are, we can find the cgroup, 
and get the prioidx, and classid from the css. Although the comment in 
cgroup-defs.h suggests that v2 and classid should never be used concurrently, I 
can't help but to disagree, given there's legacy infrastructure that leverages 
classid.


Thanks,
Daniel

Looking forward to seeing these patches,
-Sargun

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help