All of lore.kernel.org
 help / color / mirror / Atom feed
* Meaning of NFQUEUE's --queue-balance option
@ 2012-01-16 11:01 Andres Velasco Garcia
  2012-01-16 15:56 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Andres Velasco Garcia @ 2012-01-16 11:01 UTC (permalink / raw)
  To: netfilter


I would like to understand how load is distributed across different queues using NFQUEUE's --queue-balance option.

The only information I could find on the subject is in the iptables man page, where I read: "Packets belonging to the same connection are put into the same nfqueue"

I have two questions:
1- Would this be true also if NFQUEUE target is triggered within the "mangle" and not the "nat" table?
2- I would find useful for my application if all packets from/to the same IP address (not only "connection") would flow though the same queue always. Is this somehow ensured by queue-balance? 
 
Thanks

Andres Velasco 
M: +34 670 40 73 69 
Skype: newwwave.andres.velasco
 		 	   		  

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Meaning of NFQUEUE's --queue-balance option
  2012-01-16 11:01 Meaning of NFQUEUE's --queue-balance option Andres Velasco Garcia
@ 2012-01-16 15:56 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2012-01-16 15:56 UTC (permalink / raw)
  To: Andres Velasco Garcia; +Cc: netfilter

On Mon, Jan 16, 2012 at 12:01:43PM +0100, Andres Velasco Garcia wrote:
> 
> I would like to understand how load is distributed across different queues using NFQUEUE's --queue-balance option.
> 
> The only information I could find on the subject is in the iptables man page, where I read: "Packets belonging to the same connection are put into the same nfqueue"

It's a hash-based approach. You hash on the packet descriptors
(source/destination/...), thus, the load is distributed between
several user-space processes.

See recent version of linux/net/netfilter/xt_NFQUEUE.c for more information.

> I have two questions:
> 1- Would this be true also if NFQUEUE target is triggered within the "mangle" and not the "nat" table?

On the nat table, you will only see the first packet of the flow.

> 2- I would find useful for my application if all packets from/to the same IP address (not only "connection") would flow though the same queue always. Is this somehow ensured by queue-balance? 

Yes.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-01-16 15:56 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-01-16 11:01 Meaning of NFQUEUE's --queue-balance option Andres Velasco Garcia
2012-01-16 15:56 ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.