lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 30 Apr 2015 12:05:09 -0700
From:	Alexei Starovoitov <alexei.starovoitov@...il.com>
To:	Pablo Neira Ayuso <pablo@...filter.org>
Cc:	Patrick McHardy <kaber@...sh.net>,
	Daniel Borkmann <daniel@...earbox.net>,
	netfilter-devel@...r.kernel.org, davem@...emloft.net,
	netdev@...r.kernel.org, jhs@...atatu.com
Subject: Re: [PATCH 6/6] net: move qdisc ingress filtering on top of
 netfilter ingress hooks

On Thu, Apr 30, 2015 at 12:12:04PM +0200, Pablo Neira Ayuso wrote:
> 
> These are the numbers I got banging *one single CPU*:
> 
> * Without patches + qdisc ingress:
> 
> Result: OK: 16298126(c16298125+d0) usec, 10000000 (60byte,0frags)
>   613567pps 294Mb/sec (294512160bps) errors: 10000000
> 
> * With patches + qdisc ingress on top of hooks:
> 
> Result: OK: 18339281(c18339280+d0) usec, 10000000 (60byte,0frags)
>   545277pps 261Mb/sec (261732960bps) errors: 10000000
> 
> * With patches + nftables ingress chain:
> 
> Result: OK: 17118167(c17118167+d0) usec, 10000000 (60byte,0frags)
> 
>   584174pps 280Mb/sec (280403520bps) errors: 10000000

So in other words you're saying: tc has to live with 12%
slowdown (613k / 545k) only because _you_ want one hook
for both nft and tc ?!

The numbers from my box are 22.4 Mpps vs 18 Mpps which is 24%
slowdown for TC due to nf_hook.
Notice I'm seeing _millions_ packet per second processed by
netif_receive_skb->ingress_qdisc->u32
whereas you're talking about _thousands_.
Even if your box is very old, it still doesn't explain this
huge difference.
Please post 'perf report' numbers, so we can help analyze
what is actually being measured. I bet netif_receive_skb
is not even in top 10.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ