On Mon, Aug 17, 2020 at 4:19 AM Jamal Hadi Salim <[email protected]> wrote:
>
> On 2020-08-16 2:59 p.m., Cong Wang wrote:
> > On Thu, Aug 13, 2020 at 5:52 AM Jamal Hadi Salim <[email protected]> wrote:
>
>
> [..]
> >> How do you know whether to use hash or mark or both
> >> for that specific key?
> >
> > Hmm, you can just unconditionally pass skb->hash and skb->mark,
> > no? Something like:
> >
> > if (filter_parameter_has_hash) {
> > match skb->hash with cls->param_hash
> > }
> >
> > if (filter_parameter_has_mark) {
> > match skb->mark with cls->param_mark
> > }
> >
> >
> > fw_classify() uses skb->mark unconditionally anyway, without checking
> > whether it is set or not first.
> >
>
> There is no ambiguity of intent in the fw case, there is only one field.
> In the case of having multiple fields it is ambigious if you
> unconditionally look.
>
> Example: policy says to match skb mark of 5 and hash of 3.
> If packet arrives with skb->mark is 5 and skb->hash is 3
> very clearly matched the intent of the policy.
> If packet arrives withj skb->mark 7 and hash 3 it clearly
> did not match the intent. etc.
This example clearly shows no ambiguous, right? ;)
>
> > But if filters were put in a global hashtable, the above would be
> > much harder to implement.
> >
>
> Ok, yes. My assumption has been you will have some global shared
> structure where all filters will be installed on.
Sure, if not hashtable, we could simply put them in a list:
list_for_each_filter {
if (filter_parameter_has_hash) {
match skb->hash with cls->param_hash
}
if (filter_parameter_has_mark) {
match skb->mark with cls->param_mark
}
}
>
> I think i may have misunderstood all along what you were saying
> which is:
>
> a) add the rules so they are each _independent with different
> priorities_ in a chain.
Yes, because this gives users freedom to pick a different prio
from its value (hash or mark).
>
> b) when i do lookup for packet arrival, i will only see a filter
> that matches "match mark 5 and hash 3" (meaning there is no
> ambiguity on intent). If packet data doesnt match policy then
> i will iterate to another filter on the chain list with lower
> priority.
Right. Multiple values mean AND, not OR, so if you specify
mark 5 and hash 3, it will match skb->mark==5 && skb->hash==3.
If not matched, it will continue the iteration until the end.
>
> Am i correct in my understanding?
>
> If i am - then we still have a problem with lookup scale in presence
> of a large number of filters since essentially this approach
> is linear lookup (similar problem iptables has). I am afraid
> a hash table or something with similar principle goals is needed.
Yeah, this is why I asked you whether we have to put them in a
hashtable in previous emails, as hashtable organizes them with
a key, it is hard to combine multiple fields in one key and allow
to extend easily in the future. But other people smarter than me
may have better ideas here.
Thanks.
