From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shards.monkeyblade.net ([184.105.139.130]:36178 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751282AbeCLUBX (ORCPT ); Mon, 12 Mar 2018 16:01:23 -0400 Date: Mon, 12 Mar 2018 16:01:19 -0400 (EDT) Message-Id: <20180312.160119.1610465393660409111.davem@davemloft.net> To: nbd@nbd.name Cc: pablo@netfilter.org, netfilter-devel@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH 00/30] Netfilter/IPVS updates for net-next From: David Miller In-Reply-To: <4521f7bd-c63a-9d2d-bdb3-5f4db58a7ba1@nbd.name> References: <20180312175920.9022-1-pablo@netfilter.org> <20180312.145843.1054152977291695095.davem@davemloft.net> <4521f7bd-c63a-9d2d-bdb3-5f4db58a7ba1@nbd.name> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: netdev-owner@vger.kernel.org List-ID: From: Felix Fietkau Date: Mon, 12 Mar 2018 20:30:01 +0100 > It's not dead and useless. In its current state, it has a software fast > path that significantly improves nftables routing/NAT throughput, > especially on embedded devices. > On some devices, I've seen "only" 20% throughput improvement (along with > CPU usage reduction), on others it's quite a bit lot more. This is > without any extra drivers or patches aside from what's posted. I wonder if this software fast path has the exploitability problems that things like the ipv4 routing cache and the per-cpu flow cache both had. And the reason for which both were removed. I don't see how you can avoid this problem. I'm willing to be shown otherwise :-)