Re: [PATCH 0/5] Networking cgroup controller

[PATCH 0/5] Networking cgroup controller · Anoop Naravaram <hidden> · 2016-08-11
[PATCH 1/5] net: create the networking cgroup controller · Anoop Naravaram <hidden> · 2016-08-11
[PATCH 2/5] net: add bind/listen ranges to net cgroup · Anoop Naravaram <hidden> · 2016-08-11
Re: [PATCH 2/5] net: add bind/listen ranges to net cgroup · Alexei Starovoitov <hidden> · 2016-08-13
Re: [PATCH 2/5] net: add bind/listen ranges to net cgroup · Mahesh Bandewar <hidden> · 2016-08-15
Re: [PATCH 2/5] net: add bind/listen ranges to net cgroup · Alexei Starovoitov <hidden> · 2016-08-17
[PATCH 4/5] net: add dscp ranges to net cgroup · Anoop Naravaram <hidden> · 2016-08-11
[PATCH 5/5] net: add test for net cgroup · Anoop Naravaram <hidden> · 2016-08-11
Re: [PATCH 5/5] net: add test for net cgroup · Alexei Starovoitov <hidden> · 2016-08-13
Re: [PATCH 0/5] Networking cgroup controller · Parav Pandit <hidden> · 2016-08-23
Re: [PATCH 0/5] Networking cgroup controller · Mahesh Bandewar (महेश बंडेवार) <hidden> · 2016-08-25
Re: [PATCH 0/5] Networking cgroup controller · Tejun Heo <tj@kernel.org> · 2016-08-24
Re: [PATCH 0/5] Networking cgroup controller · Mahesh Bandewar (महेश बंडेवार) <hidden> · 2016-08-25
Re: [PATCH 0/5] Networking cgroup controller · Alexei Starovoitov <hidden> · 2016-08-25
Re: [PATCH 0/5] Networking cgroup controller · Mahesh Bandewar (महेश बंडेवार) <hidden> · 2016-08-25
Re: [PATCH 0/5] Networking cgroup controller · Alexei Starovoitov <hidden> · 2016-08-25

From: Tejun Heo <tj@kernel.org>
Date: 2016-08-24 21:07:19
Also in: cgroups

Hello, Anoop.

On Wed, Aug 10, 2016 at 05:53:13PM -0700, Anoop Naravaram wrote:

This patchset introduces a cgroup controller for the networking subsystem as a
whole. As of now, this controller will be used for:

* Limiting the specific ports that a process in a cgroup is allowed to bind
  to or listen on. For example, you can say that all the processes in a
  cgroup can only bind to ports 1000-2000, and listen on ports 1000-1100, which
  guarantees that the remaining ports will be available for other processes.

* Restricting which DSCP values processes can use with their sockets. For
  example, you can say that all the processes in a cgroup can only send
  packets with a DSCP tag between 48 and 63 (corresponding to TOS values of
  192 to 255).

* Limiting the total number of udp ports that can be used by a process in a
  cgroup. For example, you can say that all the processes in one cgroup are
  allowed to use a total of up to 100 udp ports. Since the total number of udp
  ports that can be used by all processes is limited, this is useful for
  rationing out the ports to different process groups.

In the future, more networking-related properties may be added to this
controller.

Thanks for working on this; however, I share the sentiment expressed
by others that this looks like too piecemeal an approach.  If there
are no alternatives, we surely should consider this but it at least
*looks* like bpf should be able to cover the same functionalities
without having to revise and extend in-kernel capabilities constantly.

Thanks.

-- 
tejun

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help