From: Rusty Russell <rusty@rustcorp.com.au>
To: "David S. Miller" <davem@redhat.com>
Cc: nf@hipac.org, linux-kernel@vger.kernel.org
Subject: Re: [ANNOUNCE] NF-HIPAC: High Performance Packet Classification for Netfilter
Date: Thu, 26 Sep 2002 15:19:33 +1000 [thread overview]
Message-ID: <20020926151933.2e8cb171.rusty@rustcorp.com.au> (raw)
In-Reply-To: <20020925.155246.41632313.davem@redhat.com>
On Wed, 25 Sep 2002 15:52:46 -0700 (PDT)
"David S. Miller" <davem@redhat.com> wrote:
> We have to do the route lookup anyways, if it got you to the packet
> filtering tables (or ipsec encap information, or TCP socket, etc etc)
> as a side effect, lots of netfilter becomes superfluous because all it
> is doing is maintaining these lookup tables etc. which is what you are
> optimizing.
Indeed. Note that netfilter infrastructure had this from the beginning, but
it sits unused (skb->nf_cache), awaiting someone to get enthusiastic.
There are three real issues:
1) You need a way to say "too hard, don't cache this". We have
NFC_UNKNOWN (I looked at some packet field you don't have a bit for)
and NFC_UNCACHABLE (give me every packet dammit!).
2) You need a sane "selective flush" mechanism for timeouts and rule changes
(eg. connection tracking and nat).
3) If you want to keep counters in the subsystems (eg. iptables keeps packet
and byte counters at the moment for every rule because it's easy). You
need to keep this info in your route cache, then call the subsystems when
you evict something from the cache.
Cheers!
Rusty.
--
there are those who do and those who hang on and you don't see too
many doers quoting their contemporaries. -- Larry McVoy
next prev parent reply other threads:[~2002-09-26 5:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-25 22:41 [ANNOUNCE] NF-HIPAC: High Performance Packet Classification for Netfilter nf
2002-09-25 22:52 ` David S. Miller
2002-09-26 0:10 ` Rik van Riel
2002-09-26 0:25 ` David S. Miller
2002-09-26 0:38 ` nf
2002-09-26 0:37 ` David S. Miller
2002-09-26 1:44 ` nf
2002-09-26 3:30 ` David S. Miller
2002-09-26 5:19 ` Rusty Russell [this message]
2002-09-26 5:40 ` David S. Miller
2002-09-26 15:27 ` James Morris
2002-09-26 20:52 ` David S. Miller
2002-09-27 3:00 ` Michael Richardson
2002-09-27 14:12 ` jamal
2002-09-28 1:30 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020926151933.2e8cb171.rusty@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=davem@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nf@hipac.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).