From: Florian Westphal <fw@strlen.de>
To: "Toke Høiland-Jørgensen" <toke@kernel.org>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org,
Lorenzo Bianconi <lorenzo@kernel.org>
Subject: Re: [PATCH RFC] netfilter: nf_tables: add flowtable map for xdp offload
Date: Thu, 2 Nov 2023 12:07:12 +0100 [thread overview]
Message-ID: <20231102110712.GG6174@breakpoint.cc> (raw)
In-Reply-To: <87il6k1lbz.fsf@toke.dk>
Toke Høiland-Jørgensen <toke@kernel.org> wrote:
> So IIUC correctly, this would all be controlled by userspace anyway (by
> the nft binary), right? In which case, couldn't userspace also provide
> the reference to the right flowtable instance, by sticking it into a bpf
> map? We'd probably need some special handling on the UAPI side to insert
> a flowtable pointer, but from the BPF side it could just look like a
> kptr in a map that the program pulls out and passes to the lookup kfunc.
> And the map would take a refcnt, making sure the table doesn't disappear
> underneath the XDP program. It could even improve performance since
> there would be one less hashtable lookup.
That requires kernel changes. Not only are flowtables not refcounted
at this time, we also have no unique identifier in the uapi; only a
combination (table name, family, flowtable name, OR table name and
handle id).
Also all of netfilter userland is network namespaced, so same keys
can exist in different net namespaces.
next prev parent reply other threads:[~2023-11-02 11:07 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-19 20:25 [PATCH RFC] netfilter: nf_tables: add flowtable map for xdp offload Florian Westphal
2023-10-23 10:33 ` Lorenzo Bianconi
2023-10-23 11:16 ` Florian Westphal
2023-11-02 8:30 ` Florian Westphal
2023-11-09 11:09 ` Florian Westphal
2023-11-02 10:49 ` Toke Høiland-Jørgensen
2023-11-02 10:54 ` Florian Westphal
2023-11-02 11:07 ` Toke Høiland-Jørgensen
2023-11-02 11:11 ` Florian Westphal
2023-11-02 11:07 ` Florian Westphal [this message]
2023-11-02 11:25 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231102110712.GG6174@breakpoint.cc \
--to=fw@strlen.de \
--cc=lorenzo@kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=toke@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).