From: Patrick McHardy <kaber@trash.net>
To: Caitlin Bestler <caitlin.bestler@gmail.com>
Cc: Rick Jones <rick.jones2@hp.com>,
Bill Fink <billfink@mindspring.com>,
Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: RFC: ethtool support for n-tuple filter programming
Date: Mon, 09 Nov 2009 18:36:55 +0100 [thread overview]
Message-ID: <4AF85337.8060802@trash.net> (raw)
In-Reply-To: <469958e00911090923s7688bb78i18c7102195be6f9b@mail.gmail.com>
Caitlin Bestler wrote:
> On Sat, Nov 7, 2009 at 3:28 PM, Rick Jones <rick.jones2@hp.com> wrote:
>> At the risk of typing words into someone's keyboard, I interpreted it as
>> suggesting using the filtering language of netfilter or something similar,
>> not necessarily netfilter itself?
>>
>
> Correct, a netfilter-friendly interface to the driver could be invoked by
> lower-overhead entities that netfilter and the driver would not care.
>
> However the real goal would be to still use netfilter, which would become
> a low-overhead entity if it could delegate 90% of the rules it enforced to
> smart hardware.
That's not possible in a compatible fashion with ip_tables because of
counters, logging, rules affecting traffic from multiple interfaces,
targets not supported in hardware (which I presume will simply be
"DROP") etc.
Counters are actually the worst feature standing in the way of this,
but even without them, you could usually only offload the first n
dropping rules that don't use any features not supported in hardware
and only affect the specific interface. Any "ACCEPT" rule is most
likely followed by further drop rules, so packets actually need to
hit those rules in software to exit table processing.
It gets even worse if you consider ingress TC actions directing the
packets to different interfaces or mangling them.
> The fundamental suggestion is to start with a filter specification that is
> clearly too rich for any Ethernet device, and let the Ethernet devices
> decide how quickly they want to catch up. As opposed to standardizing
> how smart a smart Ethernet device is and potentially leaving some hardware
> capabilities made inaccessible.
>
> I'll point out that once you assume an Ethernet Device is capable of doing
> TCP/UDP checksum offload and LSO/LRO then clearly you have recognized
> that it is an L4 aware device. Designing its filtering rules as though it were
> an L2-only device does not allow it to take advantage of the L4 parsing that
> many/most Ethernet NICs already do.
next prev parent reply other threads:[~2009-11-09 17:36 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-06 18:57 RFC: ethtool support for n-tuple filter programming Peter P Waskiewicz Jr
2009-11-06 19:12 ` Caitlin Bestler
2009-11-06 19:31 ` Peter P Waskiewicz Jr
2009-11-07 19:49 ` Bill Fink
2009-11-07 23:28 ` Rick Jones
2009-11-09 17:23 ` Caitlin Bestler
2009-11-09 17:36 ` Patrick McHardy [this message]
2009-11-08 4:27 ` David Miller
2009-11-09 5:49 ` Peter P Waskiewicz Jr
2009-11-09 6:38 ` David Miller
2009-11-09 6:54 ` Peter P Waskiewicz Jr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AF85337.8060802@trash.net \
--to=kaber@trash.net \
--cc=billfink@mindspring.com \
--cc=caitlin.bestler@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=peter.p.waskiewicz.jr@intel.com \
--cc=rick.jones2@hp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).