From: Lorenzo Colitti <lorenzo@google.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Mack <daniel@zonque.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
htejun@fb.com, Daniel Borkmann <daniel@iogearbox.net>,
ast@fb.com, David Miller <davem@davemloft.net>,
kafai@fb.com, Florian Westphal <fw@strlen.de>,
harald@redhat.com,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Sargun Dhillon <sargun@sargun.me>,
cgroups@vger.kernel.org
Subject: Re: [PATCH v7 0/6] Add eBPF hooks for cgroups
Date: Sun, 30 Oct 2016 00:34:39 +0900 [thread overview]
Message-ID: <CAKD1Yr3QfL-biSjQfFgzjMFNoLV7FP9DSB=KNbp+_KyxyQmVMg@mail.gmail.com> (raw)
In-Reply-To: <20161029062442.GA61550@ast-mbp.thefacebook.com>
On Sat, Oct 29, 2016 at 3:24 PM, Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
> it could be solved by swapping the order of cgroup_bpf_run_filter()
> and NF_INET_POST_ROUTING in patch 5. It was proposed some time back, but
> the current patch, I think, is more symmetrical.
> cgroup+bpf runs after nf hook on rx and runs before it on tx.
> imo it's more consistent.
I guess what I was trying to say was: what does doing this filtering
in ip_output give you over running this from the netfilter hooks?
Doing this filtering in netfilter is much more general because there
can be complex rules both before and after the filtering is applied. I
hadn't thought of the scalability issue you note below though.
For accounting you probably want to run after the hooks, both for
ingress and for egress, because the hooks can do all sorts of stuff
like drop packets, change packet sizes, reroute them to different
interfaces, etc. Do you see use cases where you want to run before the
hooks?
> Regardless of this choice... are you going to backport cgroupv2 to
> android? Because this set is v2 only.
Certainly anything that can't easily be backported to, say,
android-4.4 is not really feasible in the short term. I don't think we
use network cgroups at all, so if v2 network cgroups can coexist with
v1 cgroups of other types (which what little I've read seems to
indicate) then that should be possible.
> yes. that's certainly doable, but sooner or later such approach will hit
> scalability issue when number of cgroups is large. Same issue we saw
> with cls_bpf and bpf_skb_under_cgroup(). Hence this patch set was needed
> that is centered around cgroups instead of hooks. Note, unlike, tc and nf
> there is no way to attach to a hook. The bpf program is attached to a cgroup.
> It's an important distinction vs everything that currently exists in the stack.
Ah, I see. Out of curiosity, what was the first scaling limitation you
hit? eBPF program length? eBPF map size?
next prev parent reply other threads:[~2016-10-29 15:35 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-25 10:14 [PATCH v7 0/6] Add eBPF hooks for cgroups Daniel Mack
2016-10-25 10:14 ` [PATCH v7 1/6] bpf: add new prog type for cgroup socket filtering Daniel Mack
2016-10-25 10:14 ` [PATCH v7 4/6] net: filter: run cgroup eBPF ingress programs Daniel Mack
[not found] ` <1477390454-12553-1-git-send-email-daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-10-25 10:14 ` [PATCH v7 2/6] cgroup: add support for eBPF programs Daniel Mack
2016-10-25 10:14 ` [PATCH v7 3/6] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands Daniel Mack
2016-10-25 10:14 ` [PATCH v7 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs Daniel Mack
2016-10-31 16:40 ` David Miller
[not found] ` <20161031.124003.1361406552151798940.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2016-11-02 1:17 ` Daniel Borkmann
2016-10-25 10:14 ` [PATCH v7 6/6] samples: bpf: add userspace example for attaching eBPF programs to cgroups Daniel Mack
2016-10-26 19:59 ` [PATCH v7 0/6] Add eBPF hooks for cgroups Pablo Neira Ayuso
2016-10-27 3:35 ` Alexei Starovoitov
[not found] ` <20161027033502.GA43960-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-10-28 11:28 ` Pablo Neira Ayuso
2016-10-28 15:00 ` David Ahern
2016-10-29 1:42 ` Alexei Starovoitov
2016-10-27 8:40 ` Daniel Mack
[not found] ` <c9683122-d770-355b-e275-7c446e6d1d0f-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-10-28 11:53 ` Pablo Neira Ayuso
2016-10-28 12:07 ` Daniel Mack
2016-10-29 3:51 ` Lorenzo Colitti
[not found] ` <CAKD1Yr2aRDNUxX8onReZyURufphxGoSTek=Fjk3Wswq9WOVp4w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-10-29 4:51 ` Alexei Starovoitov
[not found] ` <20161029045107.GA61294-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-10-29 4:59 ` Lorenzo Colitti
[not found] ` <CAKD1Yr2pMk52h7BdRwTvGwnP5+ONmr4ac6cyUBoZ9P+Kt-B8jw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-10-29 6:24 ` Alexei Starovoitov
2016-10-29 15:34 ` Lorenzo Colitti [this message]
2016-10-29 20:29 ` Daniel Borkmann
2016-11-01 15:25 ` Lorenzo Colitti
[not found] ` <CAKD1Yr02SCHvd-xZJL14d_Ta8Dk4evHZ60zytpU0h4r80FucwA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-01 15:38 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKD1Yr3QfL-biSjQfFgzjMFNoLV7FP9DSB=KNbp+_KyxyQmVMg@mail.gmail.com' \
--to=lorenzo@google.com \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@fb.com \
--cc=cgroups@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=daniel@zonque.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=harald@redhat.com \
--cc=htejun@fb.com \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sargun@sargun.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).