From: Stefano Brivio <sbrivio@redhat.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Cc: "Florian Westphal" <fw@strlen.de>,
"Kadlecsik József" <kadlec@blackhole.kfki.hu>,
"Eric Garver" <eric@garver.life>, "Phil Sutter" <phil@nwl.cc>,
"Sabrina Dubroca" <sd@queasysnail.net>,
"Jay Ligatti" <ligatti@usf.edu>,
"Ori Rottenstreich" <or@cs.technion.ac.il>,
"Kirill Kogan" <kirill.kogan@gmail.com>
Subject: [PATCH nf-next 0/8] nftables: Set implementation for arbitrary concatenation of ranges
Date: Tue, 19 Nov 2019 02:06:27 +0100 [thread overview]
Message-ID: <cover.1574119038.git.sbrivio@redhat.com> (raw)
Existing nftables set implementations allow matching entries with
interval expressions (rbtree), e.g. 192.0.2.1-192.0.2.4, entries
specifying field concatenation (hash, rhash), e.g. 192.0.2.1:22,
but not both.
In other words, none of the set types allows matching on range
expressions for more than one packet field at a time, such as ipset
does with types bitmap:ip,mac, and, to a more limited extent
(netmasks, not arbitrary ranges), with types hash:net,net,
hash:net,port, hash:ip,port,net, and hash:net,port,net.
As a pure hash-based approach is unsuitable for matching on ranges,
and "proxying" the existing red-black tree type looks impractical as
elements would need to be shared and managed across all employed
trees, this new set implementation intends to fill the functionality
gap by employing a relatively novel approach.
The fundamental idea, illustrated in deeper detail in patch 3/5, is to
use lookup tables classifying a small number of grouped bits from each
field, and map the lookup results in a way that yields a verdict for
the full set of specified fields.
The grouping bit aspect is loosely inspired by the Grouper algorithm,
by Jay Ligatti, Josh Kuhn, and Chris Gage (see patch 3/5 for the full
reference).
A reference, stand-alone implementation of the algorithm itself is
available at:
https://pipapo.lameexcu.se
Some notes about possible future optimisations are also mentioned
there. This algorithm reduces the matching problem to, essentially,
a repetitive sequence of simple bitwise operations, and is
particularly suitable to be optimised by leveraging SIMD instruction
sets. An AVX2-based implementation is also presented in this series.
I plan to post the adaptation of the existing AVX2 vectorised
implementation for (at least) NEON at a later time.
Patch 1/8 implements the needed UAPI bits: additions to the existing
interface are kept to a minimum by recycling existing concepts for
both ranging and concatenation, as suggested by Florian.
Patch 2/8 adds a new bitmap operation that copies the source bitmap
onto the destination while removing a given region, and is needed to
delete regions of arrays mapping between lookup tables.
Patch 3/8 is the actual set implementation.
Patch 4/8 introduces selftests for the new implementation.
Patch 5/8 provides an easy optimisation with substantial gain on
matching rates.
Patches 6/8 and 7/8 are preparatory work to add an alternative,
vectorised lookup implementation.
Patch 8/8 contains the AVX2-based implementation of the lookup
routines.
The nftables and libnftnl counterparts depend on changes to the UAPI
header file included in patch 1/5.
Credits go to Jay Ligatti, Josh Kuhn, and Chris Gage for their
original Grouper implementation and article from ICCCN proceedings
(see reference in patch 3/5), and to Daniel Lemire for his public
domain implementation of a fast iterator on set bits using built-in
implementations of the CTZL operation, also included in patch 3/5.
Special thanks go to Florian Westphal for all the nftables consulting
and the original interface idea, to Sabrina Dubroca for support with
RCU and bit manipulation topics, to Eric Garver for an early review,
and to Phil Sutter for reaffirming the need for the use case covered
here.
Stefano Brivio (8):
netfilter: nf_tables: Support for subkeys, set with multiple ranged
fields
bitmap: Introduce bitmap_cut(): cut bits and shift remaining
nf_tables: Add set type for arbitrary concatenation of ranges
selftests: netfilter: Introduce tests for sets with range
concatenation
nft_set_pipapo: Provide unrolled lookup loops for common field sizes
nft_set_pipapo: Prepare for vectorised implementation: alignment
nft_set_pipapo: Prepare for vectorised implementation: helpers
nft_set_pipapo: Introduce AVX2-based lookup implementation
include/linux/bitmap.h | 4 +
include/net/netfilter/nf_tables_core.h | 2 +
include/uapi/linux/netfilter/nf_tables.h | 16 +
lib/bitmap.c | 66 +
net/netfilter/Makefile | 6 +-
net/netfilter/nf_tables_api.c | 4 +-
net/netfilter/nf_tables_set_core.c | 8 +
net/netfilter/nft_set_pipapo.c | 2131 +++++++++++++++++
net/netfilter/nft_set_pipapo.h | 242 ++
net/netfilter/nft_set_pipapo_avx2.c | 840 +++++++
net/netfilter/nft_set_pipapo_avx2.h | 14 +
tools/testing/selftests/netfilter/Makefile | 3 +-
.../selftests/netfilter/nft_concat_range.sh | 1481 ++++++++++++
13 files changed, 4813 insertions(+), 4 deletions(-)
create mode 100644 net/netfilter/nft_set_pipapo.c
create mode 100644 net/netfilter/nft_set_pipapo.h
create mode 100644 net/netfilter/nft_set_pipapo_avx2.c
create mode 100644 net/netfilter/nft_set_pipapo_avx2.h
create mode 100755 tools/testing/selftests/netfilter/nft_concat_range.sh
--
2.20.1
next reply other threads:[~2019-11-19 1:06 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-19 1:06 Stefano Brivio [this message]
2019-11-19 1:06 ` [PATCH nf-next 1/8] nf_tables: Support for subkeys, set with multiple ranged fields Stefano Brivio
2019-11-19 1:06 ` [PATCH nf-next 2/8] bitmap: Introduce bitmap_cut(): cut bits and shift remaining Stefano Brivio
2019-11-19 1:06 ` [PATCH nf-next 3/8] nf_tables: Add set type for arbitrary concatenation of ranges Stefano Brivio
2019-11-20 15:06 ` Florian Westphal
2019-11-21 19:54 ` Stefano Brivio
2019-11-21 20:41 ` Florian Westphal
2019-11-21 21:00 ` Stefano Brivio
2019-11-22 13:39 ` Stefano Brivio
2019-11-19 1:06 ` [PATCH nf-next 4/8] selftests: netfilter: Introduce tests for sets with range concatenation Stefano Brivio
2019-11-19 1:06 ` [PATCH nf-next 5/8] nft_set_pipapo: Provide unrolled lookup loops for common field sizes Stefano Brivio
2019-11-19 1:06 ` [PATCH nf-next 6/8] nft_set_pipapo: Prepare for vectorised implementation: alignment Stefano Brivio
2019-11-19 1:06 ` [PATCH nf-next 7/8] nft_set_pipapo: Prepare for vectorised implementation: helpers Stefano Brivio
2019-11-19 1:06 ` [PATCH nf-next 8/8] nft_set_pipapo: Introduce AVX2-based lookup implementation Stefano Brivio
2019-11-20 15:16 ` Florian Westphal
2019-11-20 16:08 ` Phil Sutter
2019-11-21 19:55 ` Stefano Brivio
2019-11-21 20:22 ` Pablo Neira Ayuso
2019-11-21 20:46 ` Florian Westphal
2019-11-21 20:54 ` Pablo Neira Ayuso
2019-11-21 20:56 ` Pablo Neira Ayuso
2019-11-21 20:51 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1574119038.git.sbrivio@redhat.com \
--to=sbrivio@redhat.com \
--cc=eric@garver.life \
--cc=fw@strlen.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=kirill.kogan@gmail.com \
--cc=ligatti@usf.edu \
--cc=netfilter-devel@vger.kernel.org \
--cc=or@cs.technion.ac.il \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.