Re: Google SoC, Optimized netfilter implementation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andi Kleen wrote:
Shreyas Bhatewara <shreyas.bhatewara@xxxxxxxxx> writes:
I am composing a proposal for this project to be submitted at Google
SoC. Could anyone brief me about what you mean by "dynamic code
generation" (https://www.linuxfoundation.org/en/Google_Summer_of_Code_2009#Optimized_netfilter_implementation).


I believe it refers to generate machine code for firewall rules.
So instead of interpreting a data structure the dynamically generated
code would just check the rules directly.

This was done by some kernels before, e.g. OSF/Mach had code to compile
BPF rules into machine code.

Doing something like this would be likely interesting, but I expect
it would be far too much general work for a single SoC. So if you wanted
to do anything like that you would need to select a very narrow doable
subset.

Thomas Graf presented something similar for TC at netconf 2005.
But I'm not sure whether it was ever released.

But I'm not so sure about the benefits. Sure, you can generate
optimized code for the simple cases (lets say, TCP port comparison).
But the impact how much you can gain from this is quite limited
I'd expect, for large rulesets algorithmic improvements have a
much larger potential. Something like hipac should not have to
look at the key for each dimension (port number, address etc.)
more than once, so it pretty much doesn't matter how well optimized
that code is.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux