Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs
From: Pablo Neira Ayuso <hidden>
Date: 2016-09-21 15:45:33
Also in:
cgroups
Hi Daniel, On Tue, Sep 20, 2016 at 06:43:35PM +0200, Daniel Mack wrote:
Hi Pablo, On 09/20/2016 04:29 PM, Pablo Neira Ayuso wrote:quoted
On Mon, Sep 19, 2016 at 10:56:14PM +0200, Daniel Mack wrote: [...]quoted
Why would we artificially limit the use-cases of this implementation if the way it stands, both filtering and introspection are possible?Why should we place infrastructure in the kernel to filter packets so late, and why at postrouting btw, when we can do this way earlier before any packet is actually sent?The point is that from an application's perspective, restricting the ability to bind a port and dropping packets that are being sent is a very different thing. Applications will start to behave differently if they can't bind to a port, and that's something we do not want to happen.
What is exactly the problem? Applications are not checking for return value from bind? They should be fixed. If you want to collect statistics, I see no reason why you couldn't collect them for every EACCESS on each bind() call.
Looking at packets and making a verdict on them is the only way to implement what we have in mind. Given that's in line with what netfilter does, it can't be all that wrong, can it?
That output hook was added ~20 years ago... At that time we didn't have anything better than dropping locally generated packets. Today we can probably do something better.
quoted
No performance impact, no need for skbuff allocation and *no cycles wasted to evaluate if every packet is wanted or not*.Hmm, not sure why this keeps coming up. As I said - for accounting, there is no other option than to look at every packet and its size. Regarding the performance concerns, are you saying a netfilter based implementation that uses counters for that purpose would be more efficient?
Because in my tests, just loading the netfilter modules with no rules in place at all has more impact than running the code from 6/6 on every packet.
You must be talking on iptables. When did you test this? We now have on-demand hook registration per-netns, anyway, in nftables you only register what you need. Everytime you mention about performance, it sounds like there is no room to improve what we have... and we indeed have room and ideas to get this flying faster, but keeping in mind good integration with our generic network stack and extensible interfaces, that's important too. On top of that, I started working on some preliminary patches to add nftables jit, will be talking on this during NetDev 1.2 netfilter/nftables workshop. I would expect numbers close to what you're observing with this solution.