From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Shivani Bhardwaj <shivanib134@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] extensions: libxt_NFQUEUE: Add translation to nft
Date: Tue, 22 Dec 2015 21:21:12 +0100 [thread overview]
Message-ID: <20151222202112.GA4470@salvia> (raw)
In-Reply-To: <CAKHNQQE0=tQQcaWCvAgyQGA3yiM3mfZcoLcrfb-Kn8DKaY=+6w@mail.gmail.com>
On Wed, Dec 23, 2015 at 01:08:51AM +0530, Shivani Bhardwaj wrote:
> On Tue, Dec 22, 2015 at 10:10 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Mon, Dec 21, 2015 at 06:53:43PM +0530, Shivani Bhardwaj wrote:
> >> Add translation of NF queue to nftables.
> >>
> >> Examples:
> >>
> >> $ sudo iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE --queue-num 30
> >> nft add rule ip nat PREROUTING tcp dport 80 counter queue num 30
> >>
> >> $ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass -p TCP --sport 80
> >> nft add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass
> > ^
> > Make sure this space is gone in a v2 of this patch.
> >
> >> $ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-balance 0:3
> >> nft add rule ip filter FORWARD counter queue num 0-3 fanout
> >
> > I think --queue-balance is independent from fanout. Check the code and
> > make sure this is correct.
> >
> Hi,
>
> I have taken reference from here :
> http://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace
>
> It says:
> When doing load balancing, you can use the fanout option to use the
> CPU ID as an index to map packets to the queues. The idea is that you
> can improve performance if there's a queue/userspace application per
> CPU
>
> Please let me know if I have understood this wrong.
I think this description above is not precise, please have a look at:
man iptables-extensions and check NFQUEUE, so you make sure you're
interpreting things the right way.
--queue-balance value:value
This specifies a range of queues to use. Packets are
then balanced across the given queues. This is useful for
multicore systems: start multiple instances of the
userspace program on queues x, x+1, .. x+n and use
"--queue-balance x:x+n". Packets belonging to the same
connection are put into the same nfqueue.
--queue-cpu-fanout
Available starting Linux kernel 3.10. When used together
with --queue-balance this will use the CPU ID as an index
to map packets to the queues. The idea is that you can improve
performance if there's a queue per CPU. This requires
--queue-balance to be specified.
So fanout is optional.
You can also fix the wiki to avoid this ambiguity. Thanks.
prev parent reply other threads:[~2015-12-22 20:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-21 13:23 [PATCH] extensions: libxt_NFQUEUE: Add translation to nft Shivani Bhardwaj
2015-12-22 16:40 ` Pablo Neira Ayuso
2015-12-22 19:38 ` Shivani Bhardwaj
2015-12-22 20:21 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151222202112.GA4470@salvia \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=shivanib134@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.