From: Jonathan Morton <chromatix99@gmail.com>
To: Dave Taht <dave.taht@gmail.com>
Cc: Cake List <cake@lists.bufferbloat.net>
Subject: Re: [Cake] ebpf policing?
Date: Wed, 8 Aug 2018 16:04:34 +0300 [thread overview]
Message-ID: <AD865752-ECBE-4B36-889E-94DAD7E9B5D7@gmail.com> (raw)
In-Reply-To: <CAA93jw7u5jiAhBoMfSYVJBPk8jf=p2qOR3q7W9vBvwd8RRaY3A@mail.gmail.com>
> On 7 Aug, 2018, at 3:12 am, Dave Taht <dave.taht@gmail.com> wrote:
>
>> Writing a modern policer in ebpf is feasible. it's got nsec
>> timestamping, counters, threads, lots of potential parallelism. Loops
>> that have to be carefully bound. The worst possible config api. A nice
>> statistics export system.
>>
>> Classic policers use token buckets, but anyone up for codel,
>> time_per_byte, framing awareness and deficits, and a little aqm?
>
> :crickets: :)
>
> I started taking a stab at writing a straight tc filter for this,
> trying to learn enough about how the tc filter subsystem works
> today - like, can you scribble on a packet? Can you keep local state?
I actually thought about it myself, but while it's undoubtedly *possible* to write a policer in eBPF, I don't see an overwhelmingly good reason to actually do so. It still makes the most sense to do it in C, for maximum performance, until the semantics are proved useful enough to bake in hardware.
There does still seem to be an awful lot of boilerplate in a netfilter action, though. Makes it harder to tease out what is actually going on.
> What's this rcu thing do?
Read-Copy-Update is a scheme for efficient, lock-free concurrent access, where most of the accesses are reads while changes are comparatively rare. Basically there's a pointer to the real data, and the pointer can be switched atomically after a complete new set of data is constructed, then the old data can be deleted once all the read-only references to it are released. It's a natural fit for configuration data, but would be a bad choice for realtime statistics - better to use atomic_add et al for that.
It strikes me that the filter environment may differ from the qdisc environment in one crucial matter: concurrency. A qdisc is always called with a lock held, so concurrency with respect to itself is not a factor, but maximum throughput is limited. If that is *not* true of a filter action, then greater throughput should be feasible but the programming techniques required will be more subtle. Does anyone know for certain which it is?
- Jonathan Morton
next prev parent reply other threads:[~2018-08-08 13:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-04 11:41 Dave Taht
2018-08-07 0:12 ` Dave Taht
2018-08-08 13:04 ` Jonathan Morton [this message]
2018-08-08 15:13 ` Dave Taht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cake.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AD865752-ECBE-4B36-889E-94DAD7E9B5D7@gmail.com \
--to=chromatix99@gmail.com \
--cc=cake@lists.bufferbloat.net \
--cc=dave.taht@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox