lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAM_iQpU-Z5qQOW=0FV4uXo__EDmyMqycgiuyykfHD8TN+-xZ-w@mail.gmail.com>
Date:   Wed, 4 Aug 2021 10:50:37 -0700
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     Peilin Ye <yepeilin.cs@...il.com>,
        Jamal Hadi Salim <jhs@...atatu.com>,
        Jiri Pirko <jiri@...nulli.us>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Cong Wang <cong.wang@...edance.com>,
        Peilin Ye <peilin.ye@...edance.com>,
        Alexei Starovoitov <ast@...nel.org>,
        John Fastabend <john.fastabend@...il.com>
Subject: Re: [PATCH net-next 1/2] net/sched: sch_ingress: Support clsact
 egress mini-Qdisc option

On Tue, Aug 3, 2021 at 1:08 AM Daniel Borkmann <daniel@...earbox.net> wrote:
>
> On 8/3/21 2:08 AM, Cong Wang wrote:
> > On Mon, Aug 2, 2021 at 2:11 PM Daniel Borkmann <daniel@...earbox.net> wrote:
> >>
> >> NAK, just use clsact qdisc in the first place which has both ingress and egress
> >> support instead of adding such hack. You already need to change your scripts for
> >> clsact-on, so just swap 'tc qdisc add dev eth0 ingress' to 'tc qdisc add dev eth0
> >> clsact' w/o needing to change kernel.
> >
> > If we were able to change the "script" as easily as you described,
> > you would not even see such a patch. The fact is it is not under
> > our control, the most we can do is change the qdisc after it is
> > created by the "script", ideally without interfering its traffic,
> > hence we have such a patch.
> >
> > (BTW, it is actually not a script, it is a cloud platform.)
>
> Sigh, so you're trying to solve a non-technical issue with one cloud provider by
> taking a detour for unnecessarily extending the kernel instead with functionality
> that already exists in another qdisc (and potentially waiting few years until they
> eventually upgrade). I presume Bytedance should be a big enough entity to make a
> case for that provider to change it. After all swapping ingress with clsact for
> such script is completely transparent and there is nothing that would break. (Fwiw,
> from all the major cloud providers we have never seen such issue in our deployments.)

Well, it is both non-technical and technical at the same time.

The non-technical part is that it is really hard to convince people from
other team to restart their services just for a kernel change, people are just
not happy to take risks.

The technical part is the bad design of clsact. It is too late to complain,
but it should not create two _conceptual_  qdiscs (actually just one struct
Qdisc) at the same time. If it only created just egress, we would
not even bother changing ingress at all. Sigh.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ