lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LFD.2.11.1412020827260.1593@ja.home.ssi.bg>
Date:	Tue, 2 Dec 2014 09:15:32 +0200 (EET)
From:	Julian Anastasov <ja@....bg>
To:	Florian Westphal <fw@...len.de>
cc:	netfilter-devel@...r.kernel.org, brouer@...hat.com,
	netdev@...r.kernel.org
Subject: Re: [RFC PATCH] netfilter: conntrack: cache route for forwarded
 connections


	Hello,

On Tue, 2 Dec 2014, Florian Westphal wrote:

> ... to avoid per-packet FIB lookup if possible.
> 
> The cached dst is re-used provided the input interface
> is the same as that of the previous packet in the same direction.
> 
> If not, the cached dst is invalidated.
> 
> This should speed up forwarding when conntrack is already in use
> anyway, especially when using reverse path filtering -- active RPF
> enforces two FIB lookups for each packet.
> 
> Before the routing cache removal this didn't matter since RPF
> was performed only when route cache didn't yield a result; but without
> route cache it comes at high price.
> 
> Signed-off-by: Florian Westphal <fw@...len.de>
> ---
>  Sending as RFC since I haven't tested this yet (aside from
>  single-forwarded-flow), so no performance data either.
> 
>   - doesn't work when iif changes (it invalidates cached dst), don't
>   think its a problem

	The idea is good. But code that caches dsts should
also handle at least NETDEV_UNREGISTER (NETDEV_DOWN being
another option) to release dsts. Holding dsts for frozen
conns in EST state for long time is a problem. IIRC, such dsts
are not under dst_dev_event() control. nf_nat_masquerade_ipv4.c
has something like this but for masq_index.

Regards

--
Julian Anastasov <ja@....bg>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ