| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKD1Yr2aRDNUxX8onReZyURufphxGoSTek=Fjk3Wswq9WOVp4w@mail.gmail.com>
Date: Sat, 29 Oct 2016 12:51:37 +0900
From: Lorenzo Colitti <lorenzo@...gle.com>
To: Daniel Mack <daniel@...que.org>
Cc: Pablo Neira Ayuso <pablo@...filter.org>, htejun@...com,
Daniel Borkmann <daniel@...earbox.net>, ast@...com,
David Miller <davem@...emloft.net>, kafai@...com,
Florian Westphal <fw@...len.de>, harald@...hat.com,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
sargun@...gun.me, cgroups@...r.kernel.org
Subject: Re: [PATCH v7 0/6] Add eBPF hooks for cgroups
On Thu, Oct 27, 2016 at 5:40 PM, Daniel Mack <daniel@...que.org> wrote:
> It's not anything new. These hooks live on the very same level as
> SO_ATTACH_FILTER. The only differences are that the BPF programs are
> stored in the cgroup, and not in the socket, and that they exist for
> egress as well.
What's the use case for egress?
We (android networking) are currently looking at implementing network
accounting via eBPF in order to replace the out-of-tree xt_qtaguid
code. A per-cgroup eBPF program run on all traffic would be great. But
when we looked at this patchset we realized it would not be useful for
accounting purposes because even if a packet is counted here, it might
still be dropped by netfilter hooks.
It seems like it would be much more useful to be able to do this in an
iptables rule.
Powered by blists - more mailing lists