From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: Re: [PATCH] add TCP protocol state event groups
Date: Wed, 20 Jun 2007 19:40:56 +0200 [thread overview]
Message-ID: <467966A8.4060405@trash.net> (raw)
In-Reply-To: <4679613B.6040100@netfilter.org>
Pablo Neira Ayuso wrote:
> Patrick McHardy wrote:
>
>>> Well, why just save a couple of groups if we've got 2^32 event groups?
>>> Moreover, per protocol state seems to me the most fine-grain and
>>> flexible solution. Depending on the replication schema I might be
>>> interested in different states.
>>
>>
>> Its not only about saving groups. A scheme like this only makes
>> sense if you introduce groups for every tiny bit, otherwise you
>> need to subscribe to the "global" group anyway to get the remaining
>> "unclassified" events you're interested in. And that not only uses
>> a lot of groups, it also requires dispatching the same event to
>> potentially many groups. I'm interested, do you already use this
>> feature in conntrackd? If yes, how do you deal with UDP etc. that
>> you didn't introduce new groups for?
You skipped my question.
> The patch is incomplete but you can guess the schema. Consider a patch
> to add the following groups:
>
> NFNLGRP_CONNTRACK_PROTO_UDP_NEW,
> NFNLGRP_CONNTRACK_PROTO_UDP_UPDATE,
> NFNLGRP_CONNTRACK_PROTO_UDP_DESTROY,
> NFNLGRP_CONNTRACK_PROTO_ICMP_NEW,
> NFNLGRP_CONNTRACK_PROTO_ICMP_UPDATE,
> NFNLGRP_CONNTRACK_PROTO_ICMP_DESTROY,
> NFNLGRP_CONNTRACK_PROTO_SCTP_...,
> NFNLGRP_CONNTRACK_PROTO_UNCLASSIFIED_NEW,
> NFNLGRP_CONNTRACK_PROTO_UNCLASSIFIED_UPDATE,
> NFNLGRP_CONNTRACK_PROTO_UNCLASSIFIED_DESTROY
>
> At a glance I see the function netlink_update_listeners that is O(n),
> that could be the bottleneck if we have a lot of groups. Still
> objections with this approach?
So far I presume conntrackd still listens to the global group. So
I would like to know how many groups we'll end up with until this
scheme is really fine-grained enough that it allows conntrackd
to avoid listening to the global group and what types of events
it would ignore (so I can understand the performance improvement
this might yield). The above still only contains protocol specific
groups.
next prev parent reply other threads:[~2007-06-20 17:40 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-11 18:05 [PATCH] add TCP protocol state event groups Pablo Neira Ayuso
2007-06-19 13:33 ` Patrick McHardy
2007-06-19 14:13 ` Pablo Neira Ayuso
2007-06-19 14:44 ` Patrick McHardy
2007-06-20 17:17 ` Pablo Neira Ayuso
2007-06-20 17:40 ` Patrick McHardy [this message]
2007-06-21 15:47 ` Pablo Neira Ayuso
2007-06-21 16:04 ` Patrick McHardy
2007-06-21 19:11 ` states worth to replicate [was Re: [PATCH] add TCP protocol state event groups] Pablo Neira Ayuso
2007-06-22 12:49 ` Patrick McHardy
2007-07-02 9:40 ` [PATCH] add TCP protocol state event groups Holger Eitzenberger
2007-07-02 15:36 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=467966A8.4060405@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.