From: Krishna Kumar <krkumar2@in.ibm.com>
To: kaber@trash.net, pablo@netfilter.org
Cc: vivk@us.ibm.com, svajipay@in.ibm.com, fw@strlen.de,
netfilter-devel@vger.kernel.org,
Krishna Kumar <krkumar2@in.ibm.com>,
sri@us.ibm.com
Subject: [v2 PATCH 0/6] netfilter: "fail-open" feature support for NFQUEUE
Date: Tue, 08 May 2012 15:13:42 +0530 [thread overview]
Message-ID: <20120508094342.19531.51351.sendpatchset@localhost.localdomain> (raw)
Many users of an IBM security product, which uses netfilter's NFQUEUE
target to process packets in userspace, face a problem of dropped
connections during heavy load. Incoming packets are queued and
processed by the security module, which does deep packet analysis to
decide whether to accept or reject them. However during heavy load,
NFQUEUE queue (default 1024 entries) fills up and connections fail
after large number of packets drop during enqueue. Increasing the
queue size delays the problem and also worsens latency.
This patch set implements a "failopen" support for NFQUEUE to help
keep connections open during such failures. This is achieved by
allowing acceptance of packets temporarily when the queue is full,
which enables existing connections to be kept alive. Customers have
expressed preference for this option as similar feature is available
on other systems.
Failopen is enabled/disabled using nfq_set_failopen() call, which
uses netlink's NFQA_CFG_FAIL_OPEN attribute (will submit the library
code to turn fail-open on/off later). During a stalled scp session,
application can call this new API with fail-open set to continue the
session, as can be seen below:
Server:
# iptables -A INPUT -p tcp -m mac --mac-source 00:00:C9:C6:4F:22 \
-j NFQUEUE --queue-num 0
# Run interceptor program with 50ms delay between packet processing, and
also sets qlen to 16. After every read system call, this program
tests and read's a config file's contents (0 or 1) and dynamically
calls nfq_set_failopen(qh, val).
Client:
# scp LARGE_FILE 10.0.4.1:/tmp
LARGE_FILE 2% 2832KB 183.7KB/s 09:38 ETA
LARGE_FILE 2% 3088KB 67.3KB/s 26:14 ETA
<Set failopen=1 on server at this time>
LARGE_FILE 11% 12MB 1.0MB/s 01:35 ETA
LARGE_FILE 70% 75MB 7.2MB/s 00:04 ETA
LARGE_FILE 100% 107MB 2.5MB/s 00:42
Please review.
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Signed-off-by: Vivek Kashyap <vivk@us.ibm.com>
Signed-off-by: Sridhar Samudrala <samudrala@us.ibm.com>
---
next reply other threads:[~2012-05-08 9:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-08 9:43 Krishna Kumar [this message]
2012-05-08 9:43 ` [v2 PATCH 1/6] netfilter: Add new netlink NFQA_CFG_FAIL_OPEN Krishna Kumar
2012-05-08 11:34 ` Pablo Neira Ayuso
2012-05-08 9:44 ` [v2 PATCH 2/6] netfilter: Change enqueue handlers return values Krishna Kumar
2012-05-08 9:44 ` [v2 PATCH 3/6] netfilter: Add support for per-queue fail-open Krishna Kumar
2012-05-08 9:44 ` [v2 PATCH 4/6] netfilter: Add fail-open support to handler Krishna Kumar
2012-05-08 11:58 ` Pablo Neira Ayuso
2012-05-08 9:44 ` [v2 PATCH 5/6] netfilter: GSO packet handling Krishna Kumar
2012-05-08 12:28 ` Pablo Neira Ayuso
2012-05-10 4:20 ` Krishna Kumar2
2012-05-08 9:44 ` [v2 PATCH 6/6] netfilter: Enable fail-open support Krishna Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120508094342.19531.51351.sendpatchset@localhost.localdomain \
--to=krkumar2@in.ibm.com \
--cc=fw@strlen.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sri@us.ibm.com \
--cc=svajipay@in.ibm.com \
--cc=vivk@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).