On 04/14/15 at 11:13am, Patrick McHardy wrote: > I would actually expect them to use neither TC nor nft, so the most > interesting number would be the impact if not used. Additionally I'd > like to see the numbers for moving ingress to use the netfilter hook > if it is actually used. > > The costs of TC actions vs nft are actually not relevant in my > opinion since we're not replacing anything. Ingress filtering to implement distribtued packet filters is very relevant for data centers. The times of no-policy data centers are gone with multi tenancy. Not all packets are routed so at least some of the filtering must occur before prerouting. I'm afraid you can't take yourself out of the fast path that easily ;-) This is not a pledge specific to nft. I would like to see more numbers in general. We are putting APIs and frameworks in place that we can't remove afterwards without knowing how they really scale and perform. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
