linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Rusty Russell <rusty@rustcorp.com.au>
To: "David S. Miller" <davem@redhat.com>
Cc: nf@hipac.org, linux-kernel@vger.kernel.org
Subject: Re: [ANNOUNCE] NF-HIPAC: High Performance Packet Classification for Netfilter
Date: Thu, 26 Sep 2002 15:19:33 +1000	[thread overview]
Message-ID: <20020926151933.2e8cb171.rusty@rustcorp.com.au> (raw)
In-Reply-To: <20020925.155246.41632313.davem@redhat.com>

On Wed, 25 Sep 2002 15:52:46 -0700 (PDT)
"David S. Miller" <davem@redhat.com> wrote:

> We have to do the route lookup anyways, if it got you to the packet
> filtering tables (or ipsec encap information, or TCP socket, etc etc)
> as a side effect, lots of netfilter becomes superfluous because all it
> is doing is maintaining these lookup tables etc. which is what you are
> optimizing.

Indeed.  Note that netfilter infrastructure had this from the beginning, but
it sits unused (skb->nf_cache), awaiting someone to get enthusiastic.

There are three real issues:
1) You need a way to say "too hard, don't cache this".  We have
   NFC_UNKNOWN (I looked at some packet field you don't have a bit for)
   and NFC_UNCACHABLE (give me every packet dammit!).

2) You need a sane "selective flush" mechanism for timeouts and rule changes
   (eg. connection tracking and nat).

3) If you want to keep counters in the subsystems (eg. iptables keeps packet
   and byte counters at the moment for every rule because it's easy). You
   need to keep this info in your route cache, then call the subsystems when
   you evict something from the cache.

Cheers!
Rusty.
-- 
   there are those who do and those who hang on and you don't see too
   many doers quoting their contemporaries.  -- Larry McVoy

  parent reply	other threads:[~2002-09-26  5:15 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-09-25 22:41 nf
2002-09-25 22:52 ` David S. Miller
2002-09-26  0:10   ` Rik van Riel
2002-09-26  0:25     ` David S. Miller
2002-09-26  0:38   ` nf
2002-09-26  0:37     ` David S. Miller
2002-09-26  1:44       ` nf
2002-09-26  3:30         ` David S. Miller
2002-09-26  5:19   ` Rusty Russell [this message]
2002-09-26  5:40     ` David S. Miller
2002-09-26 15:27       ` James Morris
2002-09-26 20:52         ` David S. Miller
2002-09-27  3:00           ` Michael Richardson
2002-09-27 14:12           ` jamal
2002-09-28  1:30             ` David S. Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020926151933.2e8cb171.rusty@rustcorp.com.au \
    --to=rusty@rustcorp.com.au \
    --cc=davem@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nf@hipac.org \
    --subject='Re: [ANNOUNCE] NF-HIPAC: High Performance Packet Classification for Netfilter' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).