Wed, Sep 06, 2017 at 06:04:17AM CEST, ro...@cumulusnetworks.com wrote: >On Tue, Sep 5, 2017 at 3:45 PM, Daniel Borkmann <dan...@iogearbox.net> wrote: >> On 09/06/2017 12:01 AM, Roopa Prabhu wrote: >>> >>> On Tue, Sep 5, 2017 at 11:18 AM, Cong Wang <xiyou.wangc...@gmail.com> >>> wrote: >>>> >>>> On Tue, Sep 5, 2017 at 5:48 AM, Nikolay Aleksandrov >>>> <niko...@cumulusnetworks.com> wrote: >>>>> >>>>> Hi all, >>>>> This RFC adds a new mode for clsact which designates a device's egress >>>>> classifier as global per netns. The packets that are not classified for >>>>> a particular device will be classified using the global classifier. >>>>> We have needed a global classifier for some time now for various >>>>> purposes and setting the single bridge or loopback/vrf device as the >> >> >> Can you elaborate a bit more on the ... "we have needed a global >> classifier for some time now for various purposes". > >Most of our acl's are global or use a wildcard. eg iptables supports >global rules without an dev. We do end up having hundreds of netdevs. >Another use case for the future is use of tc for policy based routing >which requires global rules.
That is not how TC works. There are devices, qdiscs, blocks, chains. The global approach does not fit. The block sharing gets you what you need, without need for any ugly hack.
