lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <176424680115.194326.6611149743733067162.stgit@firesoul>
Date: Thu, 27 Nov 2025 13:33:49 +0100
From: Jesper Dangaard Brouer <hawk@...nel.org>
To: netfilter-devel@...r.kernel.org, Pablo Neira Ayuso <pablo@...filter.org>,
 Florian Westphal <fw@...len.de>
Cc: Jesper Dangaard Brouer <hawk@...nel.org>, netdev@...r.kernel.org,
 phil@....cc, Eric Dumazet <eric.dumazet@...il.com>,
 "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
 Paolo Abeni <pabeni@...hat.com>, kernel-team@...udflare.com,
 mfleming@...udflare.com, matt@...dmodwrite.com
Subject: [PATCH nf-next RFC 0/3] netfilter: x_tables: statistic nth match
 account GRO/GSO packets

In production we have a service that does sampling of 1 in every 10000 nth
packets. This is leveraging the iptables statistic module for reducing the
samples send to userspace via NFLOG target.

This part worked nicely until a mathematician noticed that we were under
sampling GRO/GSO packets. This is an example of a Bernoulli trial. When wanted
to sample one packet every nth packet. When a GRO packet contains e.g. just 2
packets then we should have sampled that at 5000. At 10 packets this is
1000. This caused enough under sampling of GRO/GSO to make statistics wrong in
our backend systems consuming this.

The production workaround is simply send all packets larger than the MTU to
userspace (via NFLOG). Then let the userspace sampler daemon pick 1 in 10000 nth
packets to be logged to the backend. Needless to say, this solution doesn't
scale. In production if enough CPUs participate this results in lock contention,
and in general this is limiting through to 20Gbit/s out of 25Gbit/s.

This patchset avoids having to send all GRO/GSO packet to userspace, by letting
the statistics nth mode account for the number of GRO/GSO fragments.

---

Jesper Dangaard Brouer (3):
      xt_statistic: taking GRO/GSO into account for nth-match
      xt_statistic: do nth-mode accounting per CPU
      xt_statistic: DEBUG patch


 include/uapi/linux/netfilter/xt_statistic.h |  1 +
 net/netfilter/xt_statistic.c                | 94 +++++++++++++++++++--
 2 files changed, 89 insertions(+), 6 deletions(-)

--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ