From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, ebiederm@xmission.com
Subject: Re: [PATCH nf-next 0/4] netfilter: xtables: don't register hooks by default
Date: Wed, 2 Mar 2016 20:15:03 +0100 [thread overview]
Message-ID: <20160302191503.GA4099@salvia> (raw)
In-Reply-To: <1456391318-11601-1-git-send-email-fw@strlen.de>
On Thu, Feb 25, 2016 at 10:08:34AM +0100, Florian Westphal wrote:
> This work changes xtables to register tables only
> when the ip(6)tables/arptables command is invoked inside a netns.
> Also changes br_netfilter to not add its sabotage hooks until
> a bridge is created inside the netns.
>
> The initial namespace isn't affected; hooks are still registered
> on module load time there.
>
> netperf receiver running in netns 1.
> init ns with empty mangle+filter table.
>
> Recv Send Send
> Socket Socket Message Elapsed
> Size Size Size Time Throughput
> bytes bytes bytes secs. 10^6bits/sec
>
> From ns2 (empty mangle + filter table):
> 87380 16384 16384 180.00 22034.90
> 87380 16384 16384 180.00 22355.71
> 87380 16384 16384 180.00 21906.88
>
> from ns3, no iptables invocations:
> 87380 16384 16384 180.00 23103.76
> 87380 16384 16384 180.00 22975.47
> 87380 16384 16384 180.00 22880.08
>
> -> ~4% delta.
>
> Changes since last iteration:
> - dropped the conntrack changes for now
> - split patch #2 to make review a bit easier
I have placed this in the nf-next tree, thanks Florian.
prev parent reply other threads:[~2016-03-02 19:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-25 9:08 [PATCH nf-next 0/4] netfilter: xtables: don't register hooks by default Florian Westphal
2016-02-25 9:08 ` [PATCH nf-next 1/4] netfilter: xtables: prepare for on-demand hook register Florian Westphal
2016-02-25 9:08 ` [PATCH v4 nf-next 2/4] netfilter: xtables: don't hook tables by default Florian Westphal
2016-02-25 9:08 ` [PATCH v4 nf-next 3/4] netfilter: bridge: register hooks only when bridge interface is added Florian Westphal
2016-02-25 9:08 ` [PATCH v4 nf-next 4/4] netfilter: don't call hooks unless needed Florian Westphal
2016-03-02 19:15 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160302191503.GA4099@salvia \
--to=pablo@netfilter.org \
--cc=ebiederm@xmission.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.