Re: [RFC net-next] net: sch_clsact: add support for global per-netns classifier mode

[Nikolay Aleksandrov]

On 9/5/17 9:18 PM, Cong Wang wrote:
On Tue, Sep 5, 2017 at 5:48 AM, Nikolay Aleksandrov
<niko...@cumulusnetworks.com> wrote:
Hi all,
This RFC adds a new mode for clsact which designates a device's egress
classifier as global per netns. The packets that are not classified for
a particular device will be classified using the global classifier.
We have needed a global classifier for some time now for various
purposes and setting the single bridge or loopback/vrf device as the
global classifier device is acceptable for us. Doing it this way avoids
the act/cls device and queue dependencies.
This is strictly an RFC patch just to show the intent, if we agree on
the details the proposed patch will have support for both ingress and
egress, and will be using a static key to avoid the fast path test when no
global classifier has been configured.

Example (need a modified tc that adds TCA_OPTIONS when using q_clsact):
$ tc qdisc add dev lo clsact global
$ tc filter add dev lo egress protocol ip u32 match ip dst 4.3.2.1/32 action 
drop

the last filter will be global for all devices that don't have a
specific egress_cl_list (i.e. have clsact configured).

Sorry this is too ugly

netdevice is still implied in your command line even if you treat it
as global. It is essentially hard to bypass netdevice layer since
netdevice is the core of L2 and also where everything begins.


This is only a quick RFC, that can be removed entirely if we limit it to the 
netns and its loopback device. Then we can drop the "device" keyword altogether.

Maybe the best we can do here is make tc filters standalone
as tc actions so that filters can exist before qdisc's and netdevices.
But this probably requires significant works to make it working
with both existing non-standalone and bindings standalones
with qdisc's.


We've actually been discussing this option internally as well.
I think we'll look into doing that regardless of this patch.
Note I don't look deeply into this, just one thought, at least this
appears less ugly than yours.


What I did was aimed at simplicity and is merely a mode of clsact which
doesn't have an impact if not configured. Every other solution requires
a much more invasive change, note that doesn't mean I don't agree. :-)