lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1443112224-574543-1-git-send-email-tom@herbertland.com>
Date:	Thu, 24 Sep 2015 09:30:20 -0700
From:	Tom Herbert <tom@...bertland.com>
To:	<davem@...emloft.net>, <netdev@...r.kernel.org>
CC:	<kernel-team@...com>
Subject: [PATCH net-next 0/4] ila: Use NF_INET_PRE_ROUTING nfhook 

In the current implementation of ILA, LWT is used to perform
translation on both the input and output paths. This is functional,
however there is a big performance hit in the receive path. Early
demux occurs before the routing lookup (a hit actually obviates the
route lookup). Therefore the stack currently performs early
demux before translation so that a local connection with ILA
addresses is never matched. Note that this issue is not just
with ILA, but pretty much any translated or encapsulated packet
handled by LWT would miss the opportunity for early demux. Solving
the general problem seems non trivial since we would need to move
the route lookup before early demx thereby mitigating the value.

This patch set addresses the issue for ILA by adding a fast locator
lookup that occurs before early demux. This is done by using a hook
at NF_INET_PRE_ROUTING. For the backend we implement an rhashtable
that contains identifier to locator to mappings. The table also
allows more specific matches that include original locator and
interface.

Note that we are not adding functionality to support nfhook for
output (e.g. NF_INET_POST_ROUTING). This is because netfilter
is done post routing which is prolematic since we need are changing
the destination address in ILA. There is an in/out parameter in
table entries to allow for the future possibility of performing
lookups on the output path.

This patch set:
 - Add an rhashtable function to atomically replace and element.
   This is useful to implement sub-trees from a table entry
   without needing to use a special anchor structure as the
   table entry.
 - Add a start callback for starting a netlink dump.
 - Creates an ila directory under net/ipv6 and moves ila.c to it.
   ila.c is split into ila_common.c and ila_lwt.c.
 - Implement a table to do identifier->locator mapping. This is
   an rhashtable
 - Configuration for the table with netlink
 - Set nfhook for IPv6 NF_INET_PRE_ROUTING.do ILA lookup and
   translation.

Testing:
   Running 200 netperf TCP_RR streams

No ILA, baseline
   85.36% CPU utilization
   1917187 tps
   90/157/327 50/90/99% latencies

ILA before fix (LWT on both input and output)
   82.86% CPU utilization
   1668895 tps (-14% from baseline)
   106/180/336 50/90/99% latencies

ILA after fix (NF hook for input)
   82.69% CPU utilization
   1865113 tps (-2.7% from baseline)
   93/162/331 50/90/99% latencies

Tom Herbert (4):
  rhashtable: add function to replace an element
  netlink: add a start callback for starting a netlink dump
  ila: Create net/ipv6/ila directory
  ila: Add support for netfilter NF_INET_PRE_ROUTING hook

 include/linux/netlink.h    |   2 +
 include/linux/rhashtable.h |  80 ++++++
 include/net/genetlink.h    |   2 +
 include/uapi/linux/ila.h   |  22 ++
 net/ipv6/Makefile          |   2 +-
 net/ipv6/ila.c             | 229 ----------------
 net/ipv6/ila/Makefile      |   7 +
 net/ipv6/ila/ila.h         |  48 ++++
 net/ipv6/ila/ila_common.c  | 102 +++++++
 net/ipv6/ila/ila_lwt.c     | 149 ++++++++++
 net/ipv6/ila/ila_xlat.c    | 665 +++++++++++++++++++++++++++++++++++++++++++++
 net/netlink/af_netlink.c   |   4 +
 net/netlink/genetlink.c    |  16 ++
 13 files changed, 1098 insertions(+), 230 deletions(-)
 delete mode 100644 net/ipv6/ila.c
 create mode 100644 net/ipv6/ila/Makefile
 create mode 100644 net/ipv6/ila/ila.h
 create mode 100644 net/ipv6/ila/ila_common.c
 create mode 100644 net/ipv6/ila/ila_lwt.c
 create mode 100644 net/ipv6/ila/ila_xlat.c

-- 
2.4.6

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ