lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <50F3BD26.6090903@monom.org>
Date:	Mon, 14 Jan 2013 09:09:10 +0100
From:	Daniel Wagner <wagi@...om.org>
To:	Alexey Perevalov <a.perevalov@...sung.com>
CC:	cgroups@...r.kernel.org, Glauber Costa <glommer@...allels.com>,
	Kyungmin Park <kyungmin.park@...sung.com>,
	netdev@...r.kernel.org
Subject: Re: [RFC PATCH v3] cgroup: net_cls: traffic counter based on classification
 control cgroup

Hi Alexey,

On 11.01.2013 17:59, Alexey Perevalov wrote:
> I'm sorry for previous email with attachments.

It seems something went wrong with the patch, e.g. indention is wrong 
and also I see '^M$' line endings. I assume you are sending your patches 
through an exchange server which is likely not to work.

> I would like to represent next version of patch I sent before
> cgroup: "net_cls: traffic counter based on classification control cgroup"
>
> The main idea is the same as was. It keeping counter in control groups,
> but now uses atomic instead resource_counters.

+#if IS_ENABLED(CONFIG_NET_CLS_COUNTER)
+ if (copied > 0)
+ count_cls_rcv(current, copied, ifindex);
+#endif
+
release_sock(sk);
return copied;

Normally, distros will enable most config flags. Maybe you could use
a jump label to reduce the cost for the users which have 
CONFIG_NET_CLS_COUNTER enabled and do not use it?

> I have a performance measurement for this patch. It was done by lmbench
> on physical machine.
> Results are not so representative for 20 tests and some numbers are real
> weird.

Could you explain in the commit message how your patch is designed? I 
see you are using a RB tree. What's the purpose of it?

> Daniel Wagner wrote what he is doing something similar, but using
> namespaces.

I am trying a different approach on this problem using iptables. I am 
playing around with a few patches which allow to install a iptables rule
which matches on the security context, e.g.

iptables -t mangle -A OUTPUT -m secmark --secctx \
unconfined_u:unconfined_r:foo_t:s0-s0:c0.c1023 -j MARK --set-mark 1

So far it looks promising, but as I me previous networking experience 
is, that something will not work eventually.

> Proposed by me approach is used in upcoming Tizen release, but little
> bit different version.

Thanks,
Daniel

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ