On Tue, Sep 5, 2017 at 11:18 AM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Tue, Sep 5, 2017 at 5:48 AM, Nikolay Aleksandrov > <niko...@cumulusnetworks.com> wrote: >> Hi all, >> This RFC adds a new mode for clsact which designates a device's egress >> classifier as global per netns. The packets that are not classified for >> a particular device will be classified using the global classifier. >> We have needed a global classifier for some time now for various >> purposes and setting the single bridge or loopback/vrf device as the >> global classifier device is acceptable for us. Doing it this way avoids >> the act/cls device and queue dependencies. >> >> This is strictly an RFC patch just to show the intent, if we agree on >> the details the proposed patch will have support for both ingress and >> egress, and will be using a static key to avoid the fast path test when no >> global classifier has been configured. >> >> Example (need a modified tc that adds TCA_OPTIONS when using q_clsact): >> $ tc qdisc add dev lo clsact global >> $ tc filter add dev lo egress protocol ip u32 match ip dst 4.3.2.1/32 action >> drop >> >> the last filter will be global for all devices that don't have a >> specific egress_cl_list (i.e. have clsact configured). > > Sorry this is too ugly. > > netdevice is still implied in your command line even if you treat it > as global. It is essentially hard to bypass netdevice layer since > netdevice is the core of L2 and also where everything begins. > > Maybe the best we can do here is make tc filters standalone > as tc actions so that filters can exist before qdisc's and netdevices. > But this probably requires significant works to make it working > with both existing non-standalone and bindings standalones > with qdisc's.
yes, like Nikolay says we have been discussing this as well. Nikolay's patch is a cleaver and most importantly non-invasive way today given the anchor point for tc rules is a netdev. we have also considered a separate implicit tc anchor device. lo seemed like a good fit for all global rules given it is already available. And it is not uncommon to hang off global network config on the loopback interface.
