From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [iptables PATCH 07/14] nft Increase mnl_talk() receive buffer size
Date: Tue, 17 Sep 2019 16:08:24 +0200 [thread overview]
Message-ID: <20190917140824.GG9943@orbyte.nwl.cc> (raw)
In-Reply-To: <20190917050038.mi4omfwlctacjfze@salvia>
Hi Pablo,
On Tue, Sep 17, 2019 at 07:00:38AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 16, 2019 at 06:49:53PM +0200, Phil Sutter wrote:
> > This improves cache population quite a bit and therefore helps when
> > dealing with large rulesets. A simple hard to improve use-case is
> > listing the last rule in a large chain.
>
> You might consider extending the netlink interface too for this
> particularly case, GETRULE plus position attribute could be used for
> this I think. You won't be able to use this new operation from
> userspace anytime soon though, given there is no way so far to expose
> interface capabilities so far rather than probing.
>
> If there are more particular corner cases like this, I would also
> encourage to extend the netlink interface.
>
> Just a side note, not a comment specifically on this patch :-).
Thanks for suggesting, I didn't consider extending kernel to support the
index stuff yet. In general, I refrained from kernel changes simply
because of the compat problem. Implementing failure tolerance can
quickly turn into a mess, too.
Cheers, Phil
next prev parent reply other threads:[~2019-09-17 14:08 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-16 16:49 [iptables PATCH 00/14] Improve iptables-nft performance with large rulesets Phil Sutter
2019-09-16 16:49 ` [iptables PATCH 01/14] tests/shell: Make ebtables-basic test more verbose Phil Sutter
2019-09-20 10:32 ` Pablo Neira Ayuso
2019-09-16 16:49 ` [iptables PATCH 02/14] tests/shell: Speed up ipt-restore/0004-restore-race_0 Phil Sutter
2019-09-16 17:35 ` Florian Westphal
2019-09-16 16:49 ` [iptables PATCH 03/14] DEBUG: Print to stderr to not disturb iptables-save Phil Sutter
2019-09-20 10:32 ` Pablo Neira Ayuso
2019-09-16 16:49 ` [iptables PATCH 04/14] nft: Use nftnl_*_set_str() functions Phil Sutter
2019-09-20 10:33 ` Pablo Neira Ayuso
2019-09-16 16:49 ` [iptables PATCH 05/14] nft: Introduce nft_bridge_commit() Phil Sutter
2019-09-20 10:36 ` Pablo Neira Ayuso
2019-09-16 16:49 ` [iptables PATCH 06/14] nft: Fix for add and delete of same rule in single batch Phil Sutter
2019-09-16 16:49 ` [iptables PATCH 07/14] nft Increase mnl_talk() receive buffer size Phil Sutter
2019-09-17 5:00 ` Pablo Neira Ayuso
2019-09-17 14:08 ` Phil Sutter [this message]
2019-09-20 11:13 ` Pablo Neira Ayuso
2019-09-23 16:46 ` Phil Sutter
2019-09-16 16:49 ` [iptables PATCH 08/14] xtables-restore: Avoid cache population when flushing Phil Sutter
2019-09-20 11:57 ` Pablo Neira Ayuso
2019-09-24 14:43 ` Phil Sutter
2019-09-16 16:49 ` [iptables PATCH 09/14] nft: Rename have_cache into have_chain_cache Phil Sutter
2019-09-16 16:49 ` [iptables PATCH 10/14] nft: Fetch rule cache only if needed Phil Sutter
2019-09-16 16:49 ` [iptables PATCH 11/14] nft: Allow to fetch only a specific chain from kernel Phil Sutter
2019-09-16 16:49 ` [iptables PATCH 12/14] nft: Support fetching rules for a single chain only Phil Sutter
2019-09-16 16:49 ` [iptables PATCH 13/14] nft: Optimize flushing all chains of a table Phil Sutter
2019-09-16 16:50 ` [iptables PATCH 14/14] nft: Reduce impact of nft_chain_builtin_init() Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190917140824.GG9943@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.