All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Thomas Graf <tgraf@suug.ch>
Cc: netfilter-devel@vger.kernel.org, kaber@trash.net,
	netdev@vger.kernel.org, davem@davemloft.net
Subject: Re: [PATCH 5/7] net: add netfilter ingress hook
Date: Fri, 10 Apr 2015 22:08:08 +0200	[thread overview]
Message-ID: <20150410200808.GA5968@salvia> (raw)
In-Reply-To: <20150410132120.GE23070@casper.infradead.org>

On Fri, Apr 10, 2015 at 02:21:20PM +0100, Thomas Graf wrote:
> On 04/10/15 at 02:15pm, Pablo Neira Ayuso wrote:
> >  static int __netif_receive_skb_ingress(struct sk_buff *skb, bool pfmemalloc,
> >  				       struct net_device *orig_dev)
> >  {
> > @@ -3772,6 +3800,8 @@ skip_taps:
> >  	if (!skb)
> >  		return NET_RX_DROP;
> >  #endif
> > +	if (nf_hook_ingress_active(skb))
> > +		return nf_hook_ingress(skb, pt_prev, orig_dev, pfmemalloc);
> >  
> >  	return __netif_receive_skb_finish(skb, pfmemalloc, pt_prev, orig_dev);
> >  }
> 
> I would favour if we avoid for every subsystem to manage its ingress
> filter pointers in net_device. From a net_device perspective, all it
> takes is a single pointer which points to a single linked list of
> filters which need to be run through. These entries could represent
> an ingress qdisc or a netfilter chain or something else (L2 ingress
> qdisc?).
> 
> I know it's only 24 bytes but I'm trying hard to keep net_device below
> 2K.

Then it would be probably good to investigate if we can come up with
some extension infrastructure for net_device (I think Patrick already
suggested this during netdev0.1), so things are allocated based on
available features.

  parent reply	other threads:[~2015-04-10 20:08 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-10 12:15 [PATCH 0/7 RFC] Netfilter/nf_tables ingress support Pablo Neira Ayuso
2015-04-10 12:15 ` [PATCH 1/7] net: refactor __netif_receive_skb_core Pablo Neira Ayuso
2015-04-10 13:47   ` Daniel Borkmann
2015-04-15 16:09     ` Jesper Dangaard Brouer
2015-04-16  5:49       ` Patrick McHardy
2015-04-10 19:56   ` Alexander Duyck
2015-04-15 12:44     ` David Laight
2015-04-15 13:28       ` Alexander Duyck
2015-04-10 12:15 ` [PATCH 2/7] netfilter: add nf_hook_list_active() Pablo Neira Ayuso
2015-04-10 12:15 ` [PATCH 3/7] netfilter: add hook list to nf_hook_state Pablo Neira Ayuso
2015-04-10 12:15 ` [PATCH 4/7] netfilter: cleanup struct nf_hook_ops struct indentation Pablo Neira Ayuso
2015-04-10 13:27   ` Sergei Shtylyov
2015-04-10 12:15 ` [PATCH 5/7] net: add netfilter ingress hook Pablo Neira Ayuso
2015-04-10 13:21   ` Thomas Graf
2015-04-10 13:36     ` Patrick McHardy
2015-04-10 20:17       ` Pablo Neira Ayuso
2015-04-10 21:33         ` Patrick McHardy
2015-04-11 12:55           ` Pablo Neira Ayuso
2015-04-11 13:06             ` Patrick McHardy
2015-04-11 13:32               ` Pablo Neira Ayuso
2015-04-10 20:08     ` Pablo Neira Ayuso [this message]
2015-04-10 12:15 ` [PATCH 6/7] netfilter: nf_tables: allow to bind table to net_device Pablo Neira Ayuso
2015-04-10 12:15 ` [PATCH 7/7] netfilter: nf_tables: add netdev table to filter from ingress Pablo Neira Ayuso
2015-04-10 13:22 ` [PATCH 0/7 RFC] Netfilter/nf_tables ingress support Thomas Graf
2015-04-10 20:09   ` Pablo Neira Ayuso
2015-04-13  1:14     ` David Miller
2015-04-13 20:19       ` Patrick McHardy
2015-04-14  9:00         ` Thomas Graf
2015-04-14  9:06           ` Patrick McHardy
2015-04-14 10:08             ` Thomas Graf
2015-04-14 10:13               ` Patrick McHardy
2015-04-14 10:32                 ` Thomas Graf
2015-04-14 20:05                   ` Jesper Dangaard Brouer
2015-04-14 12:27         ` Jamal Hadi Salim
2015-04-14 15:12           ` John Fastabend
2015-04-14 15:36             ` Alexei Starovoitov
2015-04-15  7:35               ` John Fastabend
2015-04-15  9:19                 ` Daniel Borkmann
2015-04-15 16:24                 ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150410200808.GA5968@salvia \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=tgraf@suug.ch \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.