From: David Miller <davem@davemloft.net>
To: nbd@nbd.name
Cc: pablo@netfilter.org, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH 00/30] Netfilter/IPVS updates for net-next
Date: Mon, 12 Mar 2018 16:01:19 -0400 (EDT) [thread overview]
Message-ID: <20180312.160119.1610465393660409111.davem@davemloft.net> (raw)
In-Reply-To: <4521f7bd-c63a-9d2d-bdb3-5f4db58a7ba1@nbd.name>
From: Felix Fietkau <nbd@nbd.name>
Date: Mon, 12 Mar 2018 20:30:01 +0100
> It's not dead and useless. In its current state, it has a software fast
> path that significantly improves nftables routing/NAT throughput,
> especially on embedded devices.
> On some devices, I've seen "only" 20% throughput improvement (along with
> CPU usage reduction), on others it's quite a bit lot more. This is
> without any extra drivers or patches aside from what's posted.
I wonder if this software fast path has the exploitability problems that
things like the ipv4 routing cache and the per-cpu flow cache both had.
And the reason for which both were removed.
I don't see how you can avoid this problem.
I'm willing to be shown otherwise :-)
next prev parent reply other threads:[~2018-03-12 20:01 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-12 17:58 [PATCH 00/30] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 01/30] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 02/30] netfilter: nfnetlink_acct: remove useless parameter Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 03/30] netfilter: xt_cluster: get rid of xt_cluster_ipv6_is_multicast Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 04/30] netfilter: nf_conntrack_broadcast: remove useless parameter Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 05/30] netfilter: ipt_ah: return boolean instead of integer Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 06/30] netfilter: unlock xt_table earlier in __do_replace Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 07/30] netfilter: x_tables: check standard verdicts in core Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 08/30] netfilter: x_tables: check error target size too Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 09/30] netfilter: x_tables: move hook entry checks into core Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 10/30] netfilter: x_tables: enforce unique and ascending entry points Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 11/30] netfilter: x_tables: cap allocations at 512 mbyte Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 12/30] netfilter: x_tables: limit allocation requests for blob rule heads Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 13/30] netfilter: x_tables: add counters allocation wrapper Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 14/30] netfilter: compat: prepare xt_compat_init_offsets to return errors Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 15/30] netfilter: compat: reject huge allocation requests Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 16/30] netfilter: x_tables: make sure compat af mutex is held Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 17/30] netfilter: x_tables: ensure last rule in base chain matches underflow/policy Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 18/30] netfilter: make xt_rateest hash table per net Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 19/30] netfilter: xt_limit: Spelling s/maxmum/maximum/ Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 20/30] netfilter: nf_flow_table: use IP_CT_DIR_* values for FLOW_OFFLOAD_DIR_* Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 21/30] netfilter: nf_flow_table: clean up flow_offload_alloc Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 22/30] ipv6: make ip6_dst_mtu_forward inline Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 23/30] netfilter: nf_flow_table: cache mtu in struct flow_offload_tuple Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 24/30] netfilter: nf_flow_table: rename nf_flow_table.c to nf_flow_table_core.c Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 25/30] netfilter: x_tables: fix build with CONFIG_COMPAT=n Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 26/30] ipvs: use true and false for boolean values Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 27/30] netfilter: nf_tables: handle rt0 and rt2 properly Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 28/30] netfilter: Refactor nf_conncount Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 29/30] netfilter: conncount: Support count only use case Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 30/30] netfilter: nft_ct: add NFT_CT_{SRC,DST}_{IP,IP6} Pablo Neira Ayuso
2018-03-12 18:58 ` [PATCH 00/30] Netfilter/IPVS updates for net-next David Miller
2018-03-12 19:30 ` Felix Fietkau
2018-03-12 20:01 ` David Miller [this message]
2018-03-12 20:22 ` Felix Fietkau
2018-03-13 13:41 ` Florian Westphal
2018-03-13 15:34 ` David Miller
2018-03-13 15:39 ` Florian Westphal
2018-03-14 18:38 ` Pablo Neira Ayuso
2018-03-16 16:23 ` David Miller
2018-03-16 16:39 ` Guy Shattah
2018-03-16 16:41 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2015-09-22 9:13 Pablo Neira Ayuso
2015-09-22 20:12 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180312.160119.1610465393660409111.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=nbd@nbd.name \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).