From: "David S. Miller" <davem@redhat.com>
To: nf@hipac.org
Cc: linux-kernel@vger.kernel.org
Subject: Re: [ANNOUNCE] NF-HIPAC: High Performance Packet Classification for Netfilter
Date: Wed, 25 Sep 2002 15:52:46 -0700 (PDT) [thread overview]
Message-ID: <20020925.155246.41632313.davem@redhat.com> (raw)
In-Reply-To: <200209260041.56374.nf@hipac.org>
From: nf@hipac.org
Date: Thu, 26 Sep 2002 00:41:56 +0200
We have the results of some basic performance tests available on our web page.
The test compares the performance of the iptables filter table to the
performance of nf-hipac. Results are pretty impressive :-)
You missed the real trick, extending the routing tables to
do packet filter rule lookup. That's where the real
performance gains can be found, and how we intend to eventually
make all firewalling/encapsulation/et al. work.
Such a scheme can even obviate socket lookup if implemented properly.
It'd basically be a flow cache, much like route lookups but with an
expanded key set and the capability to stack routes. Such a flow
cache could even be two level, with the top level being %100 cpu local
on SMP (ie. no shared cache lines).
We have to do the route lookup anyways, if it got you to the packet
filtering tables (or ipsec encap information, or TCP socket, etc etc)
as a side effect, lots of netfilter becomes superfluous because all it
is doing is maintaining these lookup tables etc. which is what you are
optimizing.
Everyone looks to optimize these things on such a local level, and
that's not where the real improvements live. Think globally, and the
more powerful solutions are much more evident.
Everything, from packet forwarding, to firewalling, to TCP socket
packet receive, can be described with routes. It doesn't make sense
for forwarding, TCP, netfilter, and encapsulation schemes to duplicate
all of this table lookup logic and in fact it's entirely superfluous.
This stackable routes idea being worked on, watch this space over the
next couple of weeks :-)
next prev parent reply other threads:[~2002-09-25 22:54 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-25 22:41 nf
2002-09-25 22:52 ` David S. Miller [this message]
2002-09-26 0:10 ` Rik van Riel
2002-09-26 0:25 ` David S. Miller
2002-09-26 0:38 ` nf
2002-09-26 0:37 ` David S. Miller
2002-09-26 1:44 ` nf
2002-09-26 3:30 ` David S. Miller
2002-09-26 5:19 ` Rusty Russell
2002-09-26 5:40 ` David S. Miller
2002-09-26 15:27 ` James Morris
2002-09-26 20:52 ` David S. Miller
2002-09-27 3:00 ` Michael Richardson
2002-09-27 14:12 ` jamal
2002-09-28 1:30 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020925.155246.41632313.davem@redhat.com \
--to=davem@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nf@hipac.org \
--subject='Re: [ANNOUNCE] NF-HIPAC: High Performance Packet Classification for Netfilter' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).