From: Patrick McHardy <kaber@trash.net>
To: Andi Kleen <andi@firstfloor.org>
Cc: Shreyas Bhatewara <shreyas.bhatewara@gmail.com>,
netfilter-devel@vger.kernel.org
Subject: Re: Google SoC, Optimized netfilter implementation
Date: Fri, 03 Apr 2009 15:47:40 +0200 [thread overview]
Message-ID: <49D6137C.5030205@trash.net> (raw)
In-Reply-To: <878wmikqw8.fsf@basil.nowhere.org>
Andi Kleen wrote:
> Shreyas Bhatewara <shreyas.bhatewara@gmail.com> writes:
>> I am composing a proposal for this project to be submitted at Google
>> SoC. Could anyone brief me about what you mean by "dynamic code
>> generation" (https://www.linuxfoundation.org/en/Google_Summer_of_Code_2009#Optimized_netfilter_implementation).
>
>
> I believe it refers to generate machine code for firewall rules.
> So instead of interpreting a data structure the dynamically generated
> code would just check the rules directly.
>
> This was done by some kernels before, e.g. OSF/Mach had code to compile
> BPF rules into machine code.
>
> Doing something like this would be likely interesting, but I expect
> it would be far too much general work for a single SoC. So if you wanted
> to do anything like that you would need to select a very narrow doable
> subset.
Thomas Graf presented something similar for TC at netconf 2005.
But I'm not sure whether it was ever released.
But I'm not so sure about the benefits. Sure, you can generate
optimized code for the simple cases (lets say, TCP port comparison).
But the impact how much you can gain from this is quite limited
I'd expect, for large rulesets algorithmic improvements have a
much larger potential. Something like hipac should not have to
look at the key for each dimension (port number, address etc.)
more than once, so it pretty much doesn't matter how well optimized
that code is.
next prev parent reply other threads:[~2009-04-03 13:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-01 2:12 Google SoC, Optimized netfilter implementation Shreyas Bhatewara
2009-04-01 8:11 ` Jan Engelhardt
2009-04-01 18:02 ` Stephen Hemminger
2009-04-06 6:38 ` Shreyas Bhatewara
2009-04-03 9:50 ` Andi Kleen
2009-04-03 13:47 ` Patrick McHardy [this message]
2009-04-03 13:18 ` Jesper Dangaard Brouer
2009-04-05 22:23 ` Jesper Dangaard Brouer
2009-04-06 6:40 ` Shreyas Bhatewara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49D6137C.5030205@trash.net \
--to=kaber@trash.net \
--cc=andi@firstfloor.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=shreyas.bhatewara@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).