On 8/22/2019 3:36 PM, David Miller wrote: > From: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > Date: Thu, 22 Aug 2019 15:34:44 -0700 > >> On 8/22/2019 3:28 PM, David Miller wrote: >>> From: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> >>> Date: Thu, 22 Aug 2019 14:59:37 -0700 >>> >>>> Sure, you *can* do that, but it would be insane to do so. >>> We look up the neighbour table entries on every single packet we >>> transmit from the kernel in the same exact way. >>> >>> And it was exactly to get rid of a pointer in a data structure. >> I very much expect that the lifecycle management issues would >> be completely different, but I'll admit to having little understanding >> of the details of the neighbour table. > Neighbour table entries can live anywhere from essentially forever down > to several microseconds. > > If your hash is good, and you use RCU locking on the read side, it's a > single pointer dereference in cost. The secmark is the data used by the netfilter system. While it would be (Turing compatible, after all) possible, we're talking multiple attributes with different lifecycles being managed in a table (list, whatever) that may expand explosively. Using a single ID to reference into a table that could contain: secmark from iptables for SELinux secmark from iptables for AppArmor SELinux secid/context for the packet AppArmor secid/context for the packet will be hairy. In the netfilter processing we may have to allocate a new table entry. There's no way to identify that the entry is no longer necessary, as there is no lifecycle on a secmark. Is it possible to come up with something that will limp along? Possibly. If there's a blob pointer, we know how to do all this effectively.
