lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150414101339.GC3004@acer.localdomain>
Date:	Tue, 14 Apr 2015 11:13:39 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	Thomas Graf <tgraf@...g.ch>
Cc:	David Miller <davem@...emloft.net>, pablo@...filter.org,
	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH 0/7 RFC] Netfilter/nf_tables ingress support

On 14.04, Thomas Graf wrote:
> On 04/14/15 at 10:06am, Patrick McHardy wrote:
> > On 14.04, Thomas Graf wrote:
> > > On 04/13/15 at 09:19pm, Patrick McHardy wrote:
> > > > Now the advantages of being able to use nft. First, the obvious
> > > > one is that we have a nice userspace tool, a well defined
> > > > grammar, and that people would be able to use the same tool for
> > > > very similar tasks. nftables in the kernel is almost completely
> > > > lockless, we support way more possibilites already and we won't
> > > > have to add new special case TC actions anymore. Look at the
> > > > connmark action for example. It can set a value. How long until
> > > > someone wants to use a bitmask? We support all operations
> > > > (assignment, bit operations) for all types, we have sets for fast
> > > > lookups, maps for associating values quickly, we have a nice and
> > > > readable syntax and full translation back to the readable
> > > > representation and much more.
> > > 
> > > *cough* Performance numbers? *cough* ;-)
> > 
> > I'm just arguing, not implementing :)
> 
> OK ;-) Seriously though, we need to start putting emphasis on
> numbers as well. We are supposed to run data centers with all of
> this, we can't just horse around for fun ;-)

I would actually expect them to use neither TC nor nft, so the most
interesting number would be the impact if not used. Additionally I'd
like to see the numbers for moving ingress to use the netfilter hook
if it is actually used.

The costs of TC actions vs nft are actually not relevant in my
opinion since we're not replacing anything.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ