From: Florian Westphal <fw@strlen.de>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, brouer@redhat.com,
netdev@vger.kernel.org
Subject: Re: [RFC PATCH] netfilter: conntrack: cache route for forwarded connections
Date: Tue, 2 Dec 2014 11:20:08 +0100 [thread overview]
Message-ID: <20141202102008.GC16959@breakpoint.cc> (raw)
In-Reply-To: <1417484203.4442.19.camel@edumazet-glaptop2.roam.corp.google.com>
Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Tue, 2014-12-02 at 01:28 +0100, Florian Westphal wrote:
> > ... to avoid per-packet FIB lookup if possible.
> >
> > The cached dst is re-used provided the input interface
> > is the same as that of the previous packet in the same direction.
> >
> > If not, the cached dst is invalidated.
> >
> > This should speed up forwarding when conntrack is already in use
> > anyway, especially when using reverse path filtering -- active RPF
> > enforces two FIB lookups for each packet.
> >
> > Before the routing cache removal this didn't matter since RPF
> > was performed only when route cache didn't yield a result; but without
> > route cache it comes at high price.
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > ---
>
> Seems a good idea (but you might need some IPv6 care, as ( dst =
> dst_check(dst, 0); ) seems to handle IPv4 only)
As usual, you're right...
AFAICS its enough to stash fib sernum of the rt6info too and pass
that as the cookie, phew :-)
> Another idea would be to re-use TCP ehash so that regular IP early demux
> can be used, with a single lookup for both local and forwarded sessions.
Hmm, I'll look at this. Maybe...
> (That would probably require a bit more memory, as you would need to
> insert into TCP ehash some kind of 'tiny sockets' )
... such tiny socket could be stored/tied to the conntrack extension
area.
I think we need to be careful to not re-add the route cache (and the DoS
issues associated with it).
Thanks Eric!
next prev parent reply other threads:[~2014-12-02 10:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-02 0:28 [RFC PATCH] netfilter: conntrack: cache route for forwarded connections Florian Westphal
2014-12-02 1:36 ` Eric Dumazet
2014-12-02 10:20 ` Florian Westphal [this message]
2014-12-02 7:15 ` Julian Anastasov
2014-12-02 10:21 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141202102008.GC16959@breakpoint.cc \
--to=fw@strlen.de \
--cc=brouer@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.