From: Pablo Neira Ayuso <pablo@netfilter.org>
To: kaber@trash.net
Cc: netfilter-devel@vger.kernel.org
Subject: [PATCH 0/3 nftables RFC] set infrastructure updates
Date: Sun, 5 Jan 2014 22:18:45 +0100 [thread overview]
Message-ID: <1388956728-6754-1-git-send-email-pablo@netfilter.org> (raw)
Hi,
The following patchset contains three updates for the set
infrastructure in nf_tables, they are:
1) Fix suboptimal set selection. In my testbed, all anonymous/constant sets
are being created via the rb-tree set type, which is not optimal. To
resolve this problem I have added a priority field, so in case that we
find several set types that are suitable for the features that are
requested. As a result, the hash is prefered to the rb-tree set type
whenever possible.
2) Limit maximum number of elements per sets: Currently we have no way to set
this limit. This adds two new netlink attributes, one to set the maximum
number of elements and another to return the current number of elements
per sets. The default maximum size is set to 1024, thus, the hashtable
array consumes 16 KBytes in x86_64.
3) Calculate the number of buckets in the hash set based on the maximum
number of elements to achieve a load factor of .75. For anonymous/constant
sets, the maximum element number that nft specifies is exactly the amount
of elements that the set contains to optimize memory consumption.
In this direction, by adding more specific set descriptions (via a new netlink
attributes that contains configuration information specified by the user) it
should be possible to allow space-time trade-offs for named sets.
Pablo Neira Ayuso (3):
netfilter: nf_tables: fix suboptimal set selection
netfilter: nf_tables: limit maximum number of elements
netfilter: nft_hash: use set->maxelems to calculate number of buckets
include/net/netfilter/nf_tables.h | 17 +++++++++++++++++
include/uapi/linux/netfilter/nf_tables.h | 4 ++++
net/netfilter/nf_tables_api.c | 25 ++++++++++++++++++++-----
net/netfilter/nft_hash.c | 5 ++---
net/netfilter/nft_rbtree.c | 1 +
5 files changed, 44 insertions(+), 8 deletions(-)
--
1.7.10.4
next reply other threads:[~2014-01-05 21:18 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-05 21:18 Pablo Neira Ayuso [this message]
2014-01-05 21:18 ` [PATCH 1/3] netfilter: nf_tables: fix suboptimal set selection Pablo Neira Ayuso
2014-01-05 21:28 ` Patrick McHardy
2014-01-05 21:34 ` Pablo Neira Ayuso
2014-01-05 21:45 ` Patrick McHardy
2014-01-05 22:11 ` Pablo Neira Ayuso
2014-01-05 22:21 ` Patrick McHardy
2014-01-05 21:18 ` [PATCH 2/3] netfilter: nf_tables: limit maximum number of elements Pablo Neira Ayuso
2014-01-05 21:51 ` Patrick McHardy
2014-01-05 22:14 ` Pablo Neira Ayuso
2014-01-05 22:15 ` Pablo Neira Ayuso
2014-01-05 22:25 ` Patrick McHardy
2014-01-05 21:18 ` [PATCH 3/3] netfilter: nft_hash: use set->maxelems to calculate number of buckets Pablo Neira Ayuso
2014-01-05 21:47 ` Patrick McHardy
2014-01-05 22:12 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1388956728-6754-1-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).