Re: [PATCH net-next 00/23] netfilter: flowtable enhancements

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jakub Kicinski <kuba@kernel.org>
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net,
	netdev@vger.kernel.org, Felix Fietkau <nbd@nbd.name>
Subject: Re: [PATCH net-next 00/23] netfilter: flowtable enhancements
Date: Thu, 11 Mar 2021 22:45:05 +0100	[thread overview]
Message-ID: <20210311214505.GA5251@salvia> (raw)
In-Reply-To: <20210311124705.0af44b8d@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>

On Thu, Mar 11, 2021 at 12:47:05PM -0800, Jakub Kicinski wrote:
> On Thu, 11 Mar 2021 01:35:41 +0100 Pablo Neira Ayuso wrote:
> > The following patchset augments the Netfilter flowtable fastpath to
> > support for network topologies that combine IP forwarding, bridge,
> > classic VLAN devices, bridge VLAN filtering, DSA and PPPoE. This
> > includes support for the flowtable software and hardware datapaths.
> > 
> > The following pictures provides an example scenario:
> > 
> >                         fast path!
> >                 .------------------------.
> >                /                          \
> >                |           IP forwarding  |
> >                |          /             \ \/
> >                |       br0               wan ..... eth0
> >                .       / \                         host C
> >                -> veth1  veth2  
> >                    .           switch/router
> >                    .
> >                    .
> >                  eth0
> > 		host A
> > 
> > The bridge master device 'br0' has an IP address and a DHCP server is
> > also assumed to be running to provide connectivity to host A which
> > reaches the Internet through 'br0' as default gateway. Then, packet
> > enters the IP forwarding path and Netfilter is used to NAT the packets
> > before they leave through the wan device.
> > 
> > The general idea is to accelerate forwarding by building a fast path
> > that takes packets from the ingress path of the bridge port and place
> > them in the egress path of the wan device (and vice versa). Hence,
> > skipping the classic bridge and IP stack paths.
> 
> And how did you solve the invalidation problem?

The flowtable fast datapath is entirely optional, users turn it on via
ruleset. Users also have full control on what flows are added to the
flowtable datapath and _when_ those flows are added to the flowtable
datapath, *it's highly configurable*. The main concern about the
previous caches that have were removed from the kernel (such as the
routing table cache) are that:

1) Those mechanisms were enabled by default.
2) Configurability was completely lacking, you can just enable/disable
   the cache.

If a user consider that the invalidation problem is a real concern,
then they can just opt out from adopting the flowtable solution by
now. Cache invalidation is not a requirement in the scenarios where
this is planned to be deployed at this stage.

I can extend the documentation to describe the invalidation problem in
a follow up patch and to explicit state that this is not addressed at
this stage.

next prev parent reply	other threads:[~2021-03-11 21:46 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-11  0:35 [PATCH net-next 00/23] netfilter: flowtable enhancements Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 01/23] net: resolve forwarding path from virtual netdevice and HW destination address Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 02/23] net: 8021q: resolve forwarding path for vlan devices Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 03/23] net: bridge: resolve forwarding path for bridge devices Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 04/23] net: bridge: resolve forwarding path for VLAN tag actions in " Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 05/23] net: ppp: resolve forwarding path for bridge pppoe devices Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 06/23] net: dsa: resolve forwarding path for dsa slave ports Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 07/23] netfilter: flowtable: add xmit path types Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 08/23] netfilter: flowtable: use dev_fill_forward_path() to obtain ingress device Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 09/23] netfilter: flowtable: use dev_fill_forward_path() to obtain egress device Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 10/23] netfilter: flowtable: add vlan support Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 11/23] netfilter: flowtable: add bridge vlan filtering support Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 12/23] netfilter: flowtable: add pppoe support Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 13/23] netfilter: flowtable: add dsa support Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 14/23] selftests: netfilter: flowtable bridge and vlan support Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 15/23] netfilter: flowtable: add offload support for xmit path types Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 16/23] netfilter: nft_flow_offload: use direct xmit if hardware offload is enabled Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 17/23] netfilter: flowtable: bridge vlan hardware offload and switchdev Pablo Neira Ayuso
2021-03-11  0:35 ` [PATCH net-next 18/23] net: flow_offload: add FLOW_ACTION_PPPOE_PUSH Pablo Neira Ayuso
2021-03-11  0:36 ` [PATCH net-next 19/23] netfilter: flowtable: support for FLOW_ACTION_PPPOE_PUSH Pablo Neira Ayuso
2021-03-11  0:36 ` [PATCH net-next 20/23] dsa: slave: add support for TC_SETUP_FT Pablo Neira Ayuso
2021-03-11  0:36 ` [PATCH net-next 21/23] net: ethernet: mtk_eth_soc: add support for initializing the PPE Pablo Neira Ayuso
2021-03-11  0:36 ` [PATCH net-next 22/23] net: ethernet: mtk_eth_soc: add flow offloading support Pablo Neira Ayuso
2021-03-11  0:36 ` [PATCH net-next 23/23] net: ethernet: mtk_eth_soc: fix parsing packets in GDM Pablo Neira Ayuso
2021-03-12  7:36   ` Felix Fietkau
2021-03-11 20:47 ` [PATCH net-next 00/23] netfilter: flowtable enhancements Jakub Kicinski
2021-03-11 21:45   ` Pablo Neira Ayuso [this message]
2021-03-11 22:31     ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210311214505.GA5251@salvia \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=nbd@nbd.name \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).