From: Florian Westphal <fw@strlen.de>
To: Jesper Dangaard Brouer <hawk@kernel.org>
Cc: netfilter-devel@vger.kernel.org,
Pablo Neira Ayuso <pablo@netfilter.org>,
netdev@vger.kernel.org, phil@nwl.cc,
Eric Dumazet <eric.dumazet@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
kernel-team@cloudflare.com, mfleming@cloudflare.com,
matt@readmodwrite.com
Subject: Re: [PATCH nf-next RFC 1/3] xt_statistic: taking GRO/GSO into account for nth-match
Date: Thu, 27 Nov 2025 15:40:43 +0100 [thread overview]
Message-ID: <aShi608hEPxDLvsr@strlen.de> (raw)
In-Reply-To: <176424683595.194326.16910514346485415528.stgit@firesoul>
Jesper Dangaard Brouer <hawk@kernel.org> wrote:
> The iptables statistic nth mode is documented to match one packet every nth
> packets. When packets gets GRO/GSO aggregated before traversing the statistic
> nth match, then they get accounted as a single packet.
>
> This patch takes into account the number of packet frags a GRO/GSO packet
> contains for the xt_statistic match.
I doubt we can do this upstream. Two reasons that come to mind, in no
particular order:
1. It introduces asymmetry. All matches use "skb == packet" design.
Examples that come to mind: xt_limit, xt_length.
2. This adds a compat issue with nftables:
iptables-translate -A INPUT -m statistic --mode nth --packet 0 --every 10
nft 'add rule ip filter INPUT numgen inc mod 10 0 counter'
'numgen' increments a counter for every skb, i.e. reg := i++;.
But, after this patch -m statistics doesn't work this way anymore
and the two rules no longer do the same thing.
But even if we'd ignore this or add a flag to control behavior, I don't
see how this could be implemented in nft.
And last but not least, I'm not sure the premise is correct.
Yes, when you think of 'packet sampling', then we don't 'match'
often enough for gro/gso case.
However, when doing '-m statistic ... -j LOG' (or whatever), then the
entire GSO superpacket is logged, i.e. several 'packets' got matched
at once.
So the existing algorithm works correctly even when considering
aggregation because on average the correct amount of segments gets
matched (logged).
With this proposed new algo, we can now match 100% of skbs / aggregated
segments, even for something like '--every 10'. And that seems fishy to
me.
As far as I understood its only 'more correct' in your case because the
logging backend picks one individual segment out from the NFLOG'd
superpacket.
But if it would NOT do that, then you now sample (almost) all segments
seen on wire. Did I misunderstand something here?
next prev parent reply other threads:[~2025-11-27 14:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-27 12:33 [PATCH nf-next RFC 0/3] netfilter: x_tables: statistic nth match account GRO/GSO packets Jesper Dangaard Brouer
2025-11-27 12:33 ` [PATCH nf-next RFC 1/3] xt_statistic: taking GRO/GSO into account for nth-match Jesper Dangaard Brouer
2025-11-27 14:40 ` Florian Westphal [this message]
2025-12-05 16:23 ` Jesper Dangaard Brouer
2025-12-08 10:37 ` Nick Wood
2025-12-08 14:18 ` Florian Westphal
2025-11-27 12:34 ` [PATCH nf-next RFC 2/3] xt_statistic: do nth-mode accounting per CPU Jesper Dangaard Brouer
2025-11-27 14:48 ` Florian Westphal
2025-12-08 14:46 ` Florian Westphal
2025-11-27 12:34 ` [PATCH nf-next RFC 3/3] xt_statistic: DEBUG patch Jesper Dangaard Brouer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aShi608hEPxDLvsr@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=hawk@kernel.org \
--cc=kernel-team@cloudflare.com \
--cc=kuba@kernel.org \
--cc=matt@readmodwrite.com \
--cc=mfleming@cloudflare.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).