On Sat, Oct 29, 2016 at 12:51:37PM +0900, Lorenzo Colitti wrote: > On Thu, Oct 27, 2016 at 5:40 PM, Daniel Mack <daniel@xxxxxxxxxx> wrote: > > It's not anything new. These hooks live on the very same level as > > SO_ATTACH_FILTER. The only differences are that the BPF programs are > > stored in the cgroup, and not in the socket, and that they exist for > > egress as well. > > What's the use case for egress? > > We (android networking) are currently looking at implementing network > accounting via eBPF in order to replace the out-of-tree xt_qtaguid > code. A per-cgroup eBPF program run on all traffic would be great. But > when we looked at this patchset we realized it would not be useful for > accounting purposes because even if a packet is counted here, it might > still be dropped by netfilter hooks. don't use out-of-tree and instead drop using this mechanism or any other in-kernel method? ;) We (facebook infrastructure) have been using iptables and bpf networking together with great success. They nicely co-exist and complement each other. There is no need to reinvent the wheel if existing solution works. iptables are great for their purpose. > It seems like it would be much more useful to be able to do this in an > iptables rule. there is iptables+cBPF support. It's being used in some cases already. -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
