Pablo, On 04/30/15 11:33, Pablo Neira Ayuso wrote:
You keep saying that qdisc ingress outperforms, that's only right for just a very slight difference when comparing it with no rules on single CPU (when ported to the common playground of the generic hook infrastructure). On SMP nftables will outperform, even more if the ruleset is arranged in a non-linear list fashion, with all the new tricks that we got.
I am interested to see the numbers. I think this would be a great paper; it is extremely tempting to spend time on it.
Anyway, let's take this "nftables vs. qdisc ingress" discussion to an end. I think the main point of this discussion is to provide a generic entry point to ingress filtering (for both qdisc ingress and nftables) that, if unused, doesn't harm performance of the critical path netif_receive_core() path at all. Thus, users can choose what they want, I have heard you saying several times: "To each their poison" and I like that.
Yes - but my good friend Patrick is not saying that. I dont want to turn on netfilter in order to get tc actions on ingress. And i dont want to be slowed down because now the code path has become longer. We are trying to prune the code path. If somehow you can work to not affect performance then we can live well together. cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
