From: Lukas Wunner <lukas@wunner.de>
To: "Pablo Neira Ayuso" <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Eric Dumazet <edumazet@google.com>, Thomas Graf <tgraf@suug.ch>,
Laura Garcia <nevola@gmail.com>,
David Miller <davem@davemloft.net>
Subject: [PATCH nf-next v3 0/3] Netfilter egress hook
Date: Thu, 27 Aug 2020 10:55:00 +0200 [thread overview]
Message-ID: <cover.1598517739.git.lukas@wunner.de> (raw)
Introduce a netfilter egress hook to allow filtering outbound AF_PACKETs
such as DHCP and to prepare for in-kernel NAT64/NAT46.
An earlier version of this series was applied by Pablo Neira Ayuso back
in March and subsequently reverted by Daniel Borkmann over performance
concerns. I've now reworked the series following a discussion between
Daniel and Florian Westphal:
https://lore.kernel.org/netdev/20200318123315.GI979@breakpoint.cc/
Briefly, traffic control and netfilter handling is moved out of the
__dev_queue_xmit() hotpath into a noinline function which is dynamically
patched in using a static_key. In that function, each of tc and nft are
patched in with additional static_keys.
Thus, if neither tc nor nft is used, performance improves compared to
the status quo (see measurements in patch [3/3]). However if tc is
used, performance degrades a little due to the "noinline", the additional
outer static key and the added netfilter code. That's kind of a bummer.
If anyone has ideas how to mitigate this performance degradation, please
come forward.
To test the new netfilter egress hook, apply this nft patch to add rules
from user space:
https://lore.kernel.org/netfilter-devel/d6b6896fdd8408e4ddbd66ab524709e5cf82ea32.1583929080.git.lukas@wunner.de/
Thanks!
Lukas Wunner (3):
netfilter: Rename ingress hook include file
netfilter: Generalize ingress hook
netfilter: Introduce egress hook
include/linux/netdevice.h | 8 +++
include/linux/netfilter_ingress.h | 58 -----------------
include/linux/netfilter_netdev.h | 102 ++++++++++++++++++++++++++++++
include/linux/rtnetlink.h | 2 +-
include/uapi/linux/netfilter.h | 1 +
net/core/dev.c | 56 +++++++++++++---
net/netfilter/Kconfig | 8 +++
net/netfilter/core.c | 24 +++++--
net/netfilter/nft_chain_filter.c | 4 +-
net/sched/Kconfig | 3 +
10 files changed, 194 insertions(+), 72 deletions(-)
delete mode 100644 include/linux/netfilter_ingress.h
create mode 100644 include/linux/netfilter_netdev.h
--
2.27.0
next reply other threads:[~2020-08-27 9:02 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-27 8:55 Lukas Wunner [this message]
2020-08-27 8:55 ` [PATCH nf-next v3 1/3] netfilter: Rename ingress hook include file Lukas Wunner
2020-08-27 8:55 ` [PATCH nf-next v3 2/3] netfilter: Generalize ingress hook Lukas Wunner
2020-08-27 8:55 ` [PATCH nf-next v3 3/3] netfilter: Introduce egress hook Lukas Wunner
2020-08-28 18:52 ` John Fastabend
2020-09-03 5:00 ` John Fastabend
2020-09-04 8:54 ` Laura García Liébana
2020-09-04 15:46 ` John Fastabend
2020-09-05 11:13 ` Laura García Liébana
2020-09-04 16:21 ` Lukas Wunner
2020-09-04 21:14 ` Daniel Borkmann
2020-09-05 5:24 ` Lukas Wunner
2020-09-08 12:55 ` Daniel Borkmann
2020-09-11 7:42 ` Laura García Liébana
2020-09-11 16:27 ` Daniel Borkmann
2020-09-14 11:29 ` Laura García Liébana
2020-09-14 22:02 ` Daniel Borkmann
2020-09-17 10:28 ` Laura García Liébana
2020-09-18 20:31 ` Daniel Borkmann
2020-09-19 15:52 ` Pablo Neira Ayuso
2020-09-21 7:07 ` Laura García Liébana
2020-10-11 8:26 ` Lukas Wunner
2020-11-21 18:59 ` Pablo Neira Ayuso
2020-11-22 3:24 ` Alexei Starovoitov
2020-11-22 11:01 ` Pablo Neira Ayuso
2020-11-24 3:34 ` Alexei Starovoitov
2020-11-24 7:31 ` Lukas Wunner
2020-11-24 22:55 ` Alexei Starovoitov
2020-10-11 7:59 ` Lukas Wunner
2020-09-05 11:18 ` Laura García Liébana
2020-09-07 22:11 ` Daniel Borkmann
2020-09-08 6:19 ` Laura García Liébana
2020-09-08 11:46 ` Arturo Borrero Gonzalez
2020-09-08 13:27 ` Daniel Borkmann
2020-09-08 18:58 ` John Fastabend
2020-09-19 15:54 ` Pablo Neira Ayuso
2020-09-28 12:20 ` Lukas Wunner
2020-08-27 10:36 ` [PATCH nf-next v3 0/3] Netfilter " Laura García Liébana
2020-08-28 7:14 ` Daniel Borkmann
2020-08-28 9:14 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1598517739.git.lukas@wunner.de \
--to=lukas@wunner.de \
--cc=ast@kernel.org \
--cc=coreteam@netfilter.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nevola@gmail.com \
--cc=pablo@netfilter.org \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.