Re: nfnetlink_queue -- why linear lookup ?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Duncan Roe <duncan_roe@optusnet.com.au>
To: alexandre.ferrieux@orange.com
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Florian Westphal <fw@strlen.de>,
	Netfilter Development <netfilter-devel@vger.kernel.org>
Subject: Re: nfnetlink_queue -- why linear lookup ?
Date: Mon, 16 Aug 2021 21:42:31 +1000	[thread overview]
Message-ID: <YRpPJ8jZRI80ApTu@slk1.local.net> (raw)
In-Reply-To: <19560_1629111179_611A438B_19560_274_1_0633ee7a-2660-91b4-f1d7-adc727864376@orange.com>

On Mon, Aug 16, 2021 at 12:53:33PM +0200, alexandre.ferrieux@orange.com wrote:
>
>
> On 8/16/21 11:05 AM, Pablo Neira Ayuso wrote:
> > On Sun, Aug 15, 2021 at 08:47:04PM +0200, alexandre.ferrieux@orange.com wrote:
> > >
> > >
> > > [...] to maintain the hashtable, we need to bother the "normal" code path
> > > with hash_add/del. Not much, but still, some overhead...
> >
> > Probably you can collect some numbers to make sure this is not a
> > theoretical issue.
>
> 'k, will do :)
>
> > > Yes, a full spectrum of batching methods are possible. If we're to minimize
> > > the number of bytes crossing the kernel/user boundary though, an array of
> > > ids looks like the way to go (4 bytes per packet, assuming uint32 ids).
> >
> > Are you proposing a new batching mechanism?
>
> Well, the problem is backwards compatibility. Indeed I'd propose more
> flexible batching via an array of ids instead of a maxid. But the main added
> value of this flexibility is to enable reused-small-integers ids, like file
> descriptors. As long as the maxid API remains in place, this is impossible.
>
> > > That being said, the Doxygen of the userland nfqueue API mentions being
> > > DEPRECATED... So what is the recommended replacement ?
> >
> > What API are you refering to specifically?
>
>
> I'm referring to the nfq API documented here:
>
>
> https://www.netfilter.org/projects/libnetfilter_queue/doxygen/html/group__Queue.html
>
> It starts with "Queue handling [DEPRECATED]"...
>
The deprecated functions are not going away, it's just not recommended to use
them in new code.

The replacements are the non-deprecated functions.

Here's a bit of background: libnetfilter_queue is essentially a blend of 2
separate libraries. The older (and deprecated) library uses libnfnetlink to
communicate with the kernel. The newer (current) library uses libmnl to
communicate with the kernel. You either use functions from one library or the
other: they don't mix.

libnetfilter_queue is a wrapper for all libnfnetlink functions except
nfnl_rcvbufsiz(), while it only provides helpers for *some* libmnl functions.

The main new feature of the current libnetfilter_queue library is a suite of
helpers for packet mangling. These manage checksums and other required header
manipulation for ipv4 & ipv6 and the upb & tcp transport layers. Current
libnetfilter_queue also provides inclusion of a mangled packet in a verdict -
not available from the deprecated library AFAICS.

Current libnetfilter_queue doesn't provide batch verdicts. I don't know why -
perhaps Pablo can elaborate.

Userland support for any new featuer would normally go into libmnl.

Cheers ... Duncan.

next prev parent reply	other threads:[~2021-08-16 11:42 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-13 11:55 nfnetlink_queue -- why linear lookup ? alexandre.ferrieux
2021-08-14 21:01 ` Florian Westphal
2021-08-14 21:05   ` alexandre.ferrieux
2021-08-14 21:12     ` Florian Westphal
2021-08-15 12:17       ` alexandre.ferrieux
2021-08-15 13:07         ` Pablo Neira Ayuso
2021-08-15 13:32           ` alexandre.ferrieux
2021-08-15 14:12             ` Pablo Neira Ayuso
2021-08-15 18:47               ` alexandre.ferrieux
2021-08-16  9:05                 ` Pablo Neira Ayuso
2021-08-16 10:53                   ` alexandre.ferrieux
2021-08-16 10:56                     ` Florian Westphal
2021-08-16 11:07                       ` alexandre.ferrieux
2021-08-16 11:19                     ` Pablo Neira Ayuso
2021-08-16 11:42                     ` Duncan Roe [this message]
2021-08-16 12:04               ` Duncan Roe
2021-08-16 16:10                 ` Pablo Neira Ayuso
2021-08-16 16:15                   ` Florian Westphal
2021-08-17  4:03                   ` Duncan Roe
2021-08-15 13:33           ` alexandre.ferrieux
  -- strict thread matches above, loose matches on Subject: below --
2021-08-13 11:10 alexandre.ferrieux
2021-08-13 10:58 alexandre.ferrieux

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YRpPJ8jZRI80ApTu@slk1.local.net \
    --to=duncan_roe@optusnet.com.au \
    --cc=alexandre.ferrieux@orange.com \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.