lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150510234313.GA3176@salvia>
Date:	Mon, 11 May 2015 01:43:13 +0200
From:	Pablo Neira Ayuso <pablo@...filter.org>
To:	Daniel Borkmann <daniel@...earbox.net>
Cc:	Alexei Starovoitov <ast@...mgrid.com>, netdev@...r.kernel.org,
	davem@...emloft.net, jhs@...atatu.com
Subject: Re: [PATCH 2/2 net-next] net: move qdisc ingress filtering code
 where it belongs

On Sun, May 10, 2015 at 11:44:15PM +0200, Daniel Borkmann wrote:
> On 05/10/2015 11:31 PM, Daniel Borkmann wrote:
> >On 05/10/2015 09:50 PM, Pablo Neira Ayuso wrote:
> >...
> >>The numbers show that the existing approach and your approach results
> >>in less performance for everyone that don't need to filter from
> >>ingress. We have to move ingress to where it belongs.
> >
> >Your cleanup in patch 1 is okay, thanks for spotting it Pablo.
> >
> >I agree with you on the qdisc_enqueue_root(), it's not needed, which I
> >removed in my set as well. Please note that my set doesn't introduce a
> >regression, it improves ingress performance however.
> >
> >If there's no ingress user than that code path is simply *nop*'ed out.
> >If there's one ingress present on one device but not on others, it also
> >doesn't make anything slower to the current state. And you can also always
> >compile out CONFIG_NET_CLS_ACT (which we actually could make more fine
> >grained), if you really care.
> 
> But I am still wondering, does your machine have static_key support?

Yes:

CONFIG_JUMP_LABEL=y
CONFIG_HAVE_ARCH_JUMP_LABEL=y

$ scripts/gcc-goto.sh gcc
y

> If nothing is enabled, the code runs through a straight-line code path,
> it's a nop that is there.

The noop is patched to an unconditional branch to skip that code, but
the code is still there in that path, even if it's dormant.

What the numbers show is rather simple: The more code is in the path,
the less performance you get, and the qdisc ingress specific code
embedded there is reducing performance for people that are not using
qdisc ingress, hence it should go where it belongs. The static key
cannot save you from that.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ