lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aShkog5k8nsD5YsA@strlen.de>
Date: Thu, 27 Nov 2025 15:48:02 +0100
From: Florian Westphal <fw@...len.de>
To: Jesper Dangaard Brouer <hawk@...nel.org>
Cc: netfilter-devel@...r.kernel.org,
	Pablo Neira Ayuso <pablo@...filter.org>, netdev@...r.kernel.org,
	phil@....cc, Eric Dumazet <eric.dumazet@...il.com>,
	"David S. Miller" <davem@...emloft.net>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	kernel-team@...udflare.com, mfleming@...udflare.com,
	matt@...dmodwrite.com
Subject: Re: [PATCH nf-next RFC 2/3] xt_statistic: do nth-mode accounting per
 CPU

Jesper Dangaard Brouer <hawk@...nel.org> wrote:
> The atomic cmpxchg operations for the nth-mode matching is a scaling
> concern, on our production servers with 192 CPUs. The iptables rules that
> does sampling of every 10000 packets exists on INPUT and OUTPUT chains.
> Thus, these nth-counter rules are hit for every packets on the system with
> high concurrency.
 
> Our use-case is statistical sampling, where we don't need an accurate packet
> across all CPUs in the system. Thus, we implement per-CPU counters for the
> nth-mode match.
> 
> This replaces the XT_STATISTIC_MODE_NTH, to avoid having to change userspace
> tooling. We keep and move atomic variant under XT_STATISTIC_MODE_NTH_ATOMIC
> mode, which userspace can easily be extended to leverage if this is
> necessary.

This patch seems acceptable to me (aside from the deliberate userspace
breakage).

But I do wonder why you can't move to random sampling instead, it
doesn't suffer from this problem (i.e. -m statistic --mode random).

I think a non-rfc version would have to add a new mode, plus the
userspace change, and an explanation why -m random can't be used,
esp.  because the changelog above implies to me that -m random would work
for this :-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ