dae icon indicating copy to clipboard operation
dae copied to clipboard
verified publisher icon daeuniverse

[Proposal] Don't attach cgroup hooks when no pname routing + nonzero so_mark_from_dae

Open jschwinger233 opened this issue 7 months ago • 1 comments

Proposal

Cgroup hooks are primarily used for pname-based routing (e.g., pname(NetworkManager) -> direct). If no pname-based routing rules are defined, there is little justification for attaching cgroup hooks.

Another use of pname/pid is in the pid_is_control_plane check within wan_egress, which results in a must_direct verdict for Dae traffic. When a nonzero so_mark_from_dae is configured, we can alternatively rely on skb->mark to serve the same purpose.

Therefore, this issue proposes skipping cgroup hook attachment when:

  1. No pname-based routing is defined.
  2. A nonzero so_mark_from_dae is set.

Use Cases

ditto

Potential Benefits

Lower system source usage

Scope

No response

Reference

No response

Implementation

No response

jschwinger233 avatar May 22 '25 08:05 jschwinger233

Thanks for opening this issue!

dae-prow[bot] avatar May 22 '25 08:05 dae-prow[bot]