From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Thomas Graf <tgraf@suug.ch>,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
davem@davemloft.net
Subject: Re: [PATCH 5/7] net: add netfilter ingress hook
Date: Sat, 11 Apr 2015 14:06:48 +0100 [thread overview]
Message-ID: <20150411130648.GA15268@acer.localdomain> (raw)
In-Reply-To: <20150411125502.GA3810@salvia>
On 11.04, Pablo Neira Ayuso wrote:
> On Fri, Apr 10, 2015 at 10:33:12PM +0100, Patrick McHardy wrote:
> > On 10.04, Pablo Neira Ayuso wrote:
> > > On Fri, Apr 10, 2015 at 02:36:11PM +0100, Patrick McHardy wrote:
> > We do support all families using the regular NF_QUEUE verdict of course.
> > But yes, nf_queue.c will simply drop packets that don't have a netfilter
> > AF registered.
> >
> > But my question is whether queueing is something that is even worth
> > considering for the NFPROTO_NETDEV family. As I said, it will at best
> > work for ingress anyways and that will actually be more tricky than just
> > calling skb_share_check(), we need to take care of keeping valid
> > references to all the data you currently store in the CB, including the
> > packet_type, the device, things attached to the skb at this point to
> > the stack etc.
>
> I think we only need to hold the reference on orig_dev. The pt_prev
> pointer in skb CB can actually be removed. Other things attached to
> the skb we already handle this from nf_queue to make sure they don't
> vanish.
Are you sure? What about removable protocols or packet sockets?
> > If we decide not to support queueing for this family we don't have to
> > use netfilter hooks for this and all the refactoring for async resume
> > becomes unnecessary.
>
> I think the refactoring is worth. Have a look at the current state of
> this function. It has grown with features along time and it got many
> gotos that force you travel back and forth when reading this code.
>
> Regarding the nf_queue support at ingress, I don't see any major
> technical obstacule at this moment to support this and I think that
> existing programs that inspect traffic from userspace can benefit from
> this feature (eg. IPS).
Yeah, that might be useful, although they seem to be pretty fine with
getting only IPv4 and IPv6. I guess ARP might be interesting as well,
but we also have hooks for that already.
Regarding the refactoring, there seem to be concerns about performance
impact. My suggestions would be to use nf_hook(), make sure no queueing
can happen and therefore no okfn invocations and then you can simply
add this as a function call to the existing code without the need for
any refactoring or storing state.
You don't loose anything, it only massively simplifies the patches. If
queuing supported is added, you can still change it.
next prev parent reply other threads:[~2015-04-11 13:06 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-10 12:15 [PATCH 0/7 RFC] Netfilter/nf_tables ingress support Pablo Neira Ayuso
2015-04-10 12:15 ` [PATCH 1/7] net: refactor __netif_receive_skb_core Pablo Neira Ayuso
2015-04-10 13:47 ` Daniel Borkmann
2015-04-15 16:09 ` Jesper Dangaard Brouer
2015-04-16 5:49 ` Patrick McHardy
2015-04-10 19:56 ` Alexander Duyck
2015-04-15 12:44 ` David Laight
2015-04-15 13:28 ` Alexander Duyck
2015-04-10 12:15 ` [PATCH 2/7] netfilter: add nf_hook_list_active() Pablo Neira Ayuso
2015-04-10 12:15 ` [PATCH 3/7] netfilter: add hook list to nf_hook_state Pablo Neira Ayuso
2015-04-10 12:15 ` [PATCH 4/7] netfilter: cleanup struct nf_hook_ops struct indentation Pablo Neira Ayuso
2015-04-10 13:27 ` Sergei Shtylyov
2015-04-10 12:15 ` [PATCH 5/7] net: add netfilter ingress hook Pablo Neira Ayuso
2015-04-10 13:21 ` Thomas Graf
2015-04-10 13:36 ` Patrick McHardy
2015-04-10 20:17 ` Pablo Neira Ayuso
2015-04-10 21:33 ` Patrick McHardy
2015-04-11 12:55 ` Pablo Neira Ayuso
2015-04-11 13:06 ` Patrick McHardy [this message]
2015-04-11 13:32 ` Pablo Neira Ayuso
2015-04-10 20:08 ` Pablo Neira Ayuso
2015-04-10 12:15 ` [PATCH 6/7] netfilter: nf_tables: allow to bind table to net_device Pablo Neira Ayuso
2015-04-10 12:15 ` [PATCH 7/7] netfilter: nf_tables: add netdev table to filter from ingress Pablo Neira Ayuso
2015-04-10 13:22 ` [PATCH 0/7 RFC] Netfilter/nf_tables ingress support Thomas Graf
2015-04-10 20:09 ` Pablo Neira Ayuso
2015-04-13 1:14 ` David Miller
2015-04-13 20:19 ` Patrick McHardy
2015-04-14 9:00 ` Thomas Graf
2015-04-14 9:06 ` Patrick McHardy
2015-04-14 10:08 ` Thomas Graf
2015-04-14 10:13 ` Patrick McHardy
2015-04-14 10:32 ` Thomas Graf
2015-04-14 20:05 ` Jesper Dangaard Brouer
2015-04-14 12:27 ` Jamal Hadi Salim
2015-04-14 15:12 ` John Fastabend
2015-04-14 15:36 ` Alexei Starovoitov
2015-04-15 7:35 ` John Fastabend
2015-04-15 9:19 ` Daniel Borkmann
2015-04-15 16:24 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150411130648.GA15268@acer.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.