From: David Miller <davem@davemloft.net>
To: fw@strlen.de
Cc: nbd@nbd.name, pablo@netfilter.org,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH 00/30] Netfilter/IPVS updates for net-next
Date: Tue, 13 Mar 2018 11:34:34 -0400 (EDT) [thread overview]
Message-ID: <20180313.113434.1173466843045633114.davem@davemloft.net> (raw)
In-Reply-To: <20180313134139.GD31828@breakpoint.cc>
From: Florian Westphal <fw@strlen.de>
Date: Tue, 13 Mar 2018 14:41:39 +0100
> David Miller <davem@davemloft.net> wrote:
>> From: Felix Fietkau <nbd@nbd.name>
>> Date: Mon, 12 Mar 2018 20:30:01 +0100
>>
>> > It's not dead and useless. In its current state, it has a software fast
>> > path that significantly improves nftables routing/NAT throughput,
>> > especially on embedded devices.
>> > On some devices, I've seen "only" 20% throughput improvement (along with
>> > CPU usage reduction), on others it's quite a bit lot more. This is
>> > without any extra drivers or patches aside from what's posted.
>>
>> I wonder if this software fast path has the exploitability problems that
>> things like the ipv4 routing cache and the per-cpu flow cache both had.
>
> No, entries in the flow table are backed by an entry in the conntrack
> table, and that has an upper ceiling.
>
> As decision of when an entry gets placed into the flow table is
> configureable via ruleset (nftables, iptables will be coming too), one
> can tie the 'fastpathing' to almost-arbitrary criterion, e.g.
>
> 'only flows from trusted internal network'
> 'only flows that saw two-way communication'
> 'only flows that sent more than 100kbyte'
>
> or any combination thereof.
>
> Do you see another problem that needs to be addressed?
Ok, that seems to constrain the exposure.
We should talk at some point about how exposed conntrack itself is.
next prev parent reply other threads:[~2018-03-13 15:34 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-12 17:58 [PATCH 00/30] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 01/30] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 02/30] netfilter: nfnetlink_acct: remove useless parameter Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 03/30] netfilter: xt_cluster: get rid of xt_cluster_ipv6_is_multicast Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 04/30] netfilter: nf_conntrack_broadcast: remove useless parameter Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 05/30] netfilter: ipt_ah: return boolean instead of integer Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 06/30] netfilter: unlock xt_table earlier in __do_replace Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 07/30] netfilter: x_tables: check standard verdicts in core Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 08/30] netfilter: x_tables: check error target size too Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 09/30] netfilter: x_tables: move hook entry checks into core Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 10/30] netfilter: x_tables: enforce unique and ascending entry points Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 11/30] netfilter: x_tables: cap allocations at 512 mbyte Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 12/30] netfilter: x_tables: limit allocation requests for blob rule heads Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 13/30] netfilter: x_tables: add counters allocation wrapper Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 14/30] netfilter: compat: prepare xt_compat_init_offsets to return errors Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 15/30] netfilter: compat: reject huge allocation requests Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 16/30] netfilter: x_tables: make sure compat af mutex is held Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 17/30] netfilter: x_tables: ensure last rule in base chain matches underflow/policy Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 18/30] netfilter: make xt_rateest hash table per net Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 19/30] netfilter: xt_limit: Spelling s/maxmum/maximum/ Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 20/30] netfilter: nf_flow_table: use IP_CT_DIR_* values for FLOW_OFFLOAD_DIR_* Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 21/30] netfilter: nf_flow_table: clean up flow_offload_alloc Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 22/30] ipv6: make ip6_dst_mtu_forward inline Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 23/30] netfilter: nf_flow_table: cache mtu in struct flow_offload_tuple Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 24/30] netfilter: nf_flow_table: rename nf_flow_table.c to nf_flow_table_core.c Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 25/30] netfilter: x_tables: fix build with CONFIG_COMPAT=n Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 26/30] ipvs: use true and false for boolean values Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 27/30] netfilter: nf_tables: handle rt0 and rt2 properly Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 28/30] netfilter: Refactor nf_conncount Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 29/30] netfilter: conncount: Support count only use case Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 30/30] netfilter: nft_ct: add NFT_CT_{SRC,DST}_{IP,IP6} Pablo Neira Ayuso
2018-03-12 18:58 ` [PATCH 00/30] Netfilter/IPVS updates for net-next David Miller
2018-03-12 19:30 ` Felix Fietkau
2018-03-12 20:01 ` David Miller
2018-03-12 20:22 ` Felix Fietkau
2018-03-13 13:41 ` Florian Westphal
2018-03-13 15:34 ` David Miller [this message]
2018-03-13 15:39 ` Florian Westphal
2018-03-14 18:38 ` Pablo Neira Ayuso
2018-03-16 16:23 ` David Miller
2018-03-16 16:39 ` Guy Shattah
2018-03-16 16:41 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2015-09-22 9:13 Pablo Neira Ayuso
2015-09-22 20:12 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180313.113434.1173466843045633114.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=nbd@nbd.name \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).