From: Jan-Philipp Litza <jpl@plutex.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: Reverse nft_set_lookup_byid list traversal
Date: Tue, 19 Jan 2021 15:22:05 +0100 [thread overview]
Message-ID: <00ff9577-21d5-177b-33ed-f8de85a11929@plutex.de> (raw)
In-Reply-To: <20210114224057.GA5392@salvia>
Hi Pablo,
> If the .nft file contains lots of (linear syntax):
>
> add rule x y ... { ... }
> ...
> add rule x y ... { ... }
>
> then, this patch is a real gain. In this case, nft currently places
> the new anonymous set right before the rule, so your patch makes it
> perform nicely.
>
> I hesitate with the nested syntax, ie.
>
> table x {
> chain y {
> ... { ... }
> ...
> ... { ... }
> }
> }
>
> In this case, nft adds all the anonymous sets at the beginning of the
> netlink message, then rules don't find it right at the end.
Maybe I don't quite understand "at the beginning of the netlink message"
the way you meant it, but we are actually using nested syntax - just
with hundreds of (short) chains - and the performance gains I cited were
from this ruleset, which basically looks like
table filter {
chain if1 {
tcp dport 22 ip saddr { x, y, z } accept
}
}
table filter {
chain if2 {
ip saddr { a, b, c } accept
tcp dport 80 accept
}
}
...
(Yes, the "table filter" is repeated every time, because the ruleset is
generated. Don't know if that matters.)
So I suspect that nft adds the anonymous sets maybe not immediately
before the elements, but maybe at the beginning of the chain (or the
beginning of the table block, which we repeat).
But maybe, if I have one chain with hundreds of rules, then this patch
degrades loading performance.
> Probably it's better to convert this code to use a rhashtable for fast
> lookups on the transaction so we don't mind about what userspace does
> in the future.
I totally agree. As a non-kernel-hacker, however, this was out of reach
for me. ;-)
Best regards,
Jan-Philipp Litza
prev parent reply other threads:[~2021-01-19 14:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-07 8:56 [PATCH] netfilter: Reverse nft_set_lookup_byid list traversal Jan-Philipp Litza
2021-01-14 22:40 ` Pablo Neira Ayuso
2021-01-19 14:22 ` Jan-Philipp Litza [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00ff9577-21d5-177b-33ed-f8de85a11929@plutex.de \
--to=jpl@plutex.de \
--cc=jpl+netfilter-devel@plutex.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).