On Thu, Mar 7, 2013 at 7:41 AM, Rajahalme, Jarno (NSN - FI/Espoo)
<jarno.rajaha...@nsn.com> wrote:
> I recall someone mentioning on this list that the only planned use for 
> skb_mark is for ipsec tunneling. At least currently this seems to be the 
> case, as the only place where the skb_mark is set to a potentially non-zero 
> value in userspace is in tnl_port_send(). The kernel datapath may also 
> provide a non-zero skb_mark via odp_flow_key_to_flow().
>
> Also, we say in ofputil_usable_protocols():
>
>     /* skb_mark and skb_priority can't be sent in a flow_mod */
>     if (wc->masks.skb_mark || wc->masks.skb_priority) {
>         return OFPUTIL_P_NONE;
>     }
>
> which is consistent with the tunneling-only use.
>
> Also, I believe that "skb_mark" is specific to Linux kernel datapath, and 
> other datapath types should somehow emulate it to implement compatible IPSEC 
> tunneling, knowing that it can only take values of 0 and 1 and that the value 
> 1 together with a tunnel action signals the intention to use an IPSEC tunnel 
> in the next output action.
>
> If this is the case, wouldn't it be better to replace the skb_mark in the 
> userspace struct flow with an IPSEC flag in the struct flow_tnl? This would 
> also shrink the struct flow, as there is compiler provided padding available 
> at the end of struct flow_tnl.

To add to what Ansis said, it's likely that we'll want to use the mark
for a few different things beyond the current single bit indication of
IPsec, which is why the more general mechanism was introduced.  Some
possibilities:
 * More fine grained IPsec lookups, such as based on a certificate.
 * As part of recirculation to connect multiple passes through the flow table.
 * Other interactions with external Linux utilities like iptables.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to