Re: [PATCH] extensions: libxt_NFQUEUE: Add translation to nft

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Dec 23, 2015 at 01:08:51AM +0530, Shivani Bhardwaj wrote:
> On Tue, Dec 22, 2015 at 10:10 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Mon, Dec 21, 2015 at 06:53:43PM +0530, Shivani Bhardwaj wrote:
> >> Add translation of NF queue to nftables.
> >>
> >> Examples:
> >>
> >> $ sudo iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE --queue-num 30
> >> nft add rule ip nat PREROUTING tcp dport 80 counter  queue num 30
> >>
> >> $ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass -p TCP --sport 80
> >> nft add rule ip filter FORWARD tcp sport 80 counter  queue num 0 bypass
> >                                                      ^
> > Make sure this space is gone in a v2 of this patch.
> >
> >> $ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-balance 0:3
> >> nft add rule ip filter FORWARD counter  queue num 0-3 fanout
> >
> > I think --queue-balance is independent from fanout. Check the code and
> > make sure this is correct.
> >
> Hi,
> 
> I have taken reference from here :
> http://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace
> 
> It says:
> When doing load balancing, you can use the fanout option to use the
> CPU ID as an index to map packets to the queues. The idea is that you
> can improve performance if there's a queue/userspace application per
> CPU
> 
> Please let me know if I have understood this wrong.

I think this description above is not precise, please have a look at:
man iptables-extensions and check NFQUEUE, so you make sure you're
interpreting things the right way.

       --queue-balance value:value
              This specifies a range of queues to use. Packets are
              then balanced across the given queues.  This is useful for
              multicore systems:  start  multiple  instances  of  the
              userspace program on queues x, x+1, .. x+n and use
              "--queue-balance x:x+n". Packets belonging to the same
              connection are put into the same nfqueue.

       --queue-cpu-fanout
              Available starting Linux kernel 3.10. When used together
              with --queue-balance this will use the CPU ID as an index
              to map packets to the queues. The idea is that you can improve
              performance if there's a queue per CPU. This requires
              --queue-balance to be specified.

So fanout is optional.

You can also fix the wiki to avoid this ambiguity. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux