| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150414103202.GC14022@casper.infradead.org> Date: Tue, 14 Apr 2015 11:32:02 +0100 From: Thomas Graf <tgraf@...g.ch> To: Patrick McHardy <kaber@...sh.net> Cc: David Miller <davem@...emloft.net>, pablo@...filter.org, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH 0/7 RFC] Netfilter/nf_tables ingress support On 04/14/15 at 11:13am, Patrick McHardy wrote: > I would actually expect them to use neither TC nor nft, so the most > interesting number would be the impact if not used. Additionally I'd > like to see the numbers for moving ingress to use the netfilter hook > if it is actually used. > > The costs of TC actions vs nft are actually not relevant in my > opinion since we're not replacing anything. Ingress filtering to implement distribtued packet filters is very relevant for data centers. The times of no-policy data centers are gone with multi tenancy. Not all packets are routed so at least some of the filtering must occur before prerouting. I'm afraid you can't take yourself out of the fast path that easily ;-) This is not a pledge specific to nft. I would like to see more numbers in general. We are putting APIs and frameworks in place that we can't remove afterwards without knowing how they really scale and perform. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists