On Wed, Aug 17, 2016 at 05:51:44PM +0200, Daniel Mack wrote: > On 08/17/2016 05:06 PM, Tejun Heo wrote: > > What I'd suggest is keeping two sets of pointers, one set for the > > programs explicitly attached to the cgroup and the other for programs > > which are to be executed for the cgroup. The two pointers in the > > latter set will point to the closest non-null program in its ancestry. > > Note that the pointers may point to programs belonging to different > > ancestors. > > > > A - B - C > > \ D - E > > > > Let's say B has both ingress and egress programs and D only has > > egress. E's execution pointers should point to D's egress program and > > B's ingress program. > > > > The pointers would need to be updated > > > > 1. When a program is installed or removed. For simplicity's sake, we > > can just walk the whole hierarchy. If that's too expensive > > (shouldn't be), we can find out the closest ancestor where both > > programs can be determined and then walk from there. > > > > 2. When a new cgroup is created, it should inherit its execution table > > from its parent. > > Ok, yes, that sounds sane to me. Will implement that scheme.
That makes sense to me as well. Sounds quite flexible and fast with only one check per packet per direction.
