From: Karl Hiramoto <karl@hiramoto.org>
To: netfilter-devel@vger.kernel.org
Cc: Karl Hiramoto <karl@hiramoto.org>
Subject: [RFC 0/4] nfnetlink_queue bypass queue to userspace X bytes of connection
Date: Sat, 24 Jul 2010 17:44:41 +0200 [thread overview]
Message-ID: <1279986285-11665-1-git-send-email-karl@hiramoto.org> (raw)
Hi, I'm working on a nf_queue based HTTP filter. Sometimes I want to
NF_ACCEPT X bytes of a connection. In a HTTP connection its part of the
Content-Length. Being able to directly NF_ACCEPT large parts of a connection
is a 2X to 3X speedup, by not queuing these packets to user-space.
I've tested this patchset only with HTTP on IPv4, and it makes a large
difference in page load times (lower latency), max bandwidth utilization,
and CPU utilization (lower utilization).
This is something like connbytes, but with TCP look at the sequence number
to handle out of order and duplicate packets. I'm thinking about changing
the code to a always queue if the TCP flags SYN, FIN, or RST are set.
Besides HTTP I could imagine other L7 protocol filters using nf_queue
could this feature.
Bad points:
* making nfnetlink_queue depend on conntrack and on on L3 (TCP).
This patchset is also at:
git://github.com/karlhiramoto/linux-2.6.git nfq
libnl patches to send NFQA_ACCEPT_CONNBYTES are at:
git://github.com/karlhiramoto/libnl.git
Karl Hiramoto (4):
netfilter/Kconfig: NF_QUEUE_CONNBYTES_BYPASS
nf_conntrack_queue: define struct that will be stored in nf_ct_extend
nf_conntrack: add nf_queue extension
nfnetlink_queue: allow part of a connection to bypass the queue
include/linux/netfilter/nfnetlink_queue.h | 1 +
include/net/netfilter/nf_conntrack_extend.h | 2 +
include/net/netfilter/nf_conntrack_queue.h | 17 ++++
net/netfilter/Kconfig | 13 +++-
net/netfilter/nf_conntrack_core.c | 37 +++++++++-
net/netfilter/nfnetlink_queue.c | 112 ++++++++++++++++++++++++++-
6 files changed, 179 insertions(+), 3 deletions(-)
create mode 100644 include/net/netfilter/nf_conntrack_queue.h
next reply other threads:[~2010-07-24 15:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-24 15:44 Karl Hiramoto [this message]
2010-07-24 15:44 ` [RFC 1/4] netfilter/Kconfig: NF_QUEUE_CONNBYTES_BYPASS Karl Hiramoto
2010-07-24 15:44 ` [RFC 2/4] nf_conntrack_queue: define struct that will be stored in nf_ct_extend Karl Hiramoto
2010-07-24 15:44 ` [RFC 3/4] nf_conntrack: add nf_queue extension Karl Hiramoto
2010-07-24 15:44 ` [RFC 4/4] nfnetlink_queue: allow part of a connection to bypass the queue Karl Hiramoto
2010-07-24 18:26 ` [RFC 0/4] nfnetlink_queue bypass queue to userspace X bytes of connection Pablo Neira Ayuso
2010-07-25 6:55 ` Karl Hiramoto
2010-07-25 10:42 ` Pablo Neira Ayuso
2010-07-26 6:50 ` Karl Hiramoto
[not found] ` <4C4D2C33.6050901@hiramoto.org>
2010-07-26 17:35 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1279986285-11665-1-git-send-email-karl@hiramoto.org \
--to=karl@hiramoto.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).