From: Andi Kleen <ak@suse.de>
To: Roberto Nibali <ratz@drugphish.ch>
Cc: "David S. Miller" <davem@redhat.com>,
ak@suse.de, niv@us.ibm.com, linux-kernel@vger.kernel.org,
jamal <hadi@cyberus.ca>
Subject: Re: [ANNOUNCE] NF-HIPAC: High Performance Packet Classification
Date: Thu, 26 Sep 2002 14:04:30 +0200 [thread overview]
Message-ID: <20020926140430.E14485@wotan.suse.de> (raw)
In-Reply-To: <3D92CCC5.5000206@drugphish.ch>
On Thu, Sep 26, 2002 at 11:00:53AM +0200, Roberto Nibali wrote:
> o we can't filter more than 13Mbit/s anymore after loading around 3000
> rules into the kernel (problem is gone with nf-hipac for example).
For iptables/ipchain you need to write hierarchical/port range rules
in this case and try to terminate searchs early.
But yes, we also found that the L2 cache is limiting here
(ip_conntrack has the same problem)
> o we can't log all the messages we would like to because the user space
> log daemon (syslog-ng in our case, but we've tried others too) doesn't
> get enough CPU time anymore to read the buffer before it will be over-
> written by the printk's again. This leads to an almost proportial to
> N^2 log entry loss with increasing number of rules that do not match.
> This is the worst thing that can happen to you working in the
> security business: not having an appropriate log trace during a
> possible incident.
At least that is easily fixed. Just increase the LOG_BUF_LEN parameter
in kernel/printk.c
Alternatively don't use slow printk, but nfnetlink to report bad packets
and print from user space. That should scale much better.
-Andi
next prev parent reply other threads:[~2002-09-26 11:59 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <3D924F9D.C2DCF56A@us.ibm.com.suse.lists.linux.kernel>
[not found] ` <20020925.170336.77023245.davem@redhat.com.suse.lists.linux.kernel>
2002-09-26 0:31 ` Andi Kleen
2002-09-26 0:29 ` David S. Miller
2002-09-26 0:46 ` Andi Kleen
2002-09-26 0:44 ` David S. Miller
2002-09-26 9:00 ` Roberto Nibali
2002-09-26 9:06 ` David S. Miller
2002-09-26 9:24 ` Roberto Nibali
2002-09-26 9:21 ` David S. Miller
2002-09-26 15:13 ` James Morris
2002-09-26 20:51 ` Roberto Nibali
2002-09-26 10:25 ` Roberto Nibali
2002-09-26 10:20 ` David S. Miller
2002-09-26 10:49 ` Roberto Nibali
2002-09-26 12:03 ` jamal
2002-09-26 20:23 ` Roberto Nibali
2002-09-27 13:57 ` jamal
2002-09-26 12:04 ` Andi Kleen [this message]
2002-09-26 20:49 ` Roberto Nibali
2002-09-30 17:36 ` Bill Davidsen
2002-10-02 17:37 ` Roberto Nibali
2002-09-26 1:17 ` Nivedita Singhvi
2002-09-26 1:15 ` Andi Kleen
2002-09-26 0:06 Nivedita Singhvi
2002-09-26 0:03 ` David S. Miller
2002-09-26 0:50 ` Nivedita Singhvi
2002-09-26 0:40 ` David S. Miller
2002-09-26 1:09 ` Nivedita Singhvi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020926140430.E14485@wotan.suse.de \
--to=ak@suse.de \
--cc=davem@redhat.com \
--cc=hadi@cyberus.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=niv@us.ibm.com \
--cc=ratz@drugphish.ch \
--subject='Re: [ANNOUNCE] NF-HIPAC: High Performance Packet Classification' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).