lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1520609475.17937.42.camel@infradead.org>
Date:   Fri, 09 Mar 2018 15:31:15 +0000
From:   David Woodhouse <dwmw2@...radead.org>
To:     Florian Westphal <fw@...len.de>,
        Pablo Neira Ayuso <pablo@...filter.org>
Cc:     David Miller <davem@...emloft.net>, rga@...zon.de,
        bridge@...ts.linux-foundation.org, stephen@...workplumber.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        aliguori@...zon.com, nbd@...nwrt.org
Subject: Re: [RFC PATCH v2] bridge: make it possible for packets to
 traverse the bridge without hitting netfilter



On Fri, 2015-03-06 at 17:37 +0100, Florian Westphal wrote:
> 
> > > I did performance measurements in the following way:
> > > 
> > > Removed those pieces of the packet pipeline that I don't necessarily
> > > need one-by-one.  Then measured their effect on small packet
> > > performance.
> > > 
> > > This was the only part that produced considerable effect.
> > > 
> > > The pure speculation was about why the effect is more than 15%
> > > increase in packet throughput, although the code path avoided
> > > contains way less code than 15% of the packet pipeline.  It seems,
> > > Felix Fietkau profiled similar changes, and found my guess well
> > > founded.
> > > 
> > > Now could anybody explain me what else is wrong with my patch?
> > 
> > We have to come up with a more generic solution for this.
> 
> Jiri Benc suggested to allowing to attach netfilter hooks e.g. via tc
> action, maybe that would be an option worth investigating.
> 
> Then you could for instance add filtering rules only to the bridge port
> that needs it.
> 
> > These sysfs tweaks you're proposing look to me like an obscure way to
> > tune this.
> 
> I agree, adding more tunables isn't all that helpful, in the past this
> only helped to prolong the problem.

How feasible would it be to make it completely dynamic?

A given hook could automatically disable itself (for a given device) if
the result of running it the first time was *tautologically* false for
that device (i.e. regardless of the packet itself, or anything else).

The hook would need to be automatically re-enabled if the rule chain
ever changes (and might subsequently disable itself again).

Is that something that's worth exploring for the general case?

Eschewing a 15% speedup on the basis that "well, even though we've had
three of these already for a decade, we're worried that adding a fourth
might open the floodgates to further patches" does seem a little odd to
me, FWIW.


Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5213 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ