Re: iptables performance under 2.6.0[-test9]

[Andy Polyakov <appro@fy.chalmers.se>]

[-- Attachment #1: Type: text/plain, Size: 1815 bytes --]

> >Yes, it does [imply that]. But I rather wonder why did it assemble a TCP
> >packet larger than MTU in first place. But in either case it looks like
> >whomever who did that gives up after 3 seconds and generates two smaller
> >instead. Normally I would also complain that one would expect tcpdump to
> >show wire traffic even on the client side, but this is really bad
> >opportunity to do so, as we probably wouldn't land on ip_refrag so
> >soon:-)
> 
> Yes you're right the stack should never generate tcp packets > mtu.
> 
> This is either a misconfiguration or a bug in TCP.

Looks like neither:-) My NIC turned to be NETIF_F_TSO capable, which
means that it "can off-load TCP/IP segmentation" and kernel is allowed
to and does throw packets larger than ethernet MTU at it [and tcpdump
therefore was honest].

I'm currently running attached patch and it apparently solves my
*particular* problem, but I can't tell if it's actually "the right
thing(tm)" to do... Is (*pskb)->sk->sk_route_caps right place to check?
Maybe out->features is more appropriate? Is there TSO maximum which one
should compare (*pskb)->len against? That kind of questions...

HOWEVER!!! Even if we figure out "the right thing(tm)" and address the
NETIF_F_TSO issue in proper manner, it does *not* necessarily mean that
performance problem will disappear as well. Well, in my optinion... I
mean performance might still suffer, whenever user will for example
masquerade a larger MTU interface behind "narrower" one, e.g. behind
PPPoE virtual interface, and further experiments should therefore be
performed... But I'm not sure if I'll be able to assist, because my
NETIF_F_TSO capable NIC might make it impossible to arrange for proper
setup [without PPPoE which I simply don't have]. I'll try, but can't
make any promises... Cheers. A.

[-- Attachment #2: nf.diff --]
[-- Type: text/plain, Size: 505 bytes --]

--- ./net/ipv4/netfilter/ip_conntrack_standalone.c.orig	Sat Oct 25 20:43:32 2003
+++ ./net/ipv4/netfilter/ip_conntrack_standalone.c	Tue Oct 28 23:16:56 2003
@@ -198,6 +198,9 @@
 	if (ip_confirm(hooknum, pskb, in, out, okfn) != NF_ACCEPT)
 		return NF_DROP;
 
+	if ((*pskb)->sk && (*pskb)->sk->sk_route_caps&NETIF_F_TSO)
+		return NF_ACCEPT;
+
 	/* Local packets are never produced too large for their
 	   interface.  We degfragment them at LOCAL_OUT, however,
 	   so we have to refragment them here. */