[PATCH nf-next 0/4] netfilter: xtables: don't register hooks by default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This work changes xtables to register tables only
when the ip(6)tables/arptables command is invoked inside a netns.
Also changes br_netfilter to not add its sabotage hooks until
a bridge is created inside the netns.

The initial namespace isn't affected; hooks are still registered
on module load time there.

netperf receiver running in netns 1.
init ns with empty mangle+filter table.

Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    10^6bits/sec

>From ns2 (empty mangle + filter table):
87380  16384  16384    180.00   22034.90
87380  16384  16384    180.00   22355.71
87380  16384  16384    180.00   21906.88

from ns3, no iptables invocations:
87380  16384  16384    180.00   23103.76
87380  16384  16384    180.00   22975.47
87380  16384  16384    180.00   22880.08

-> ~4% delta.

Changes since last iteration:
 - dropped the conntrack changes for now
 - split patch #2 to make review a bit easier

 No other changes.

 include/linux/netfilter.h                 |   29 ++++--------
 include/linux/netfilter/x_tables.h        |    6 +-
 include/linux/netfilter_arp/arp_tables.h  |    9 ++-
 include/linux/netfilter_ipv4/ip_tables.h  |    9 ++-
 include/linux/netfilter_ipv6/ip6_tables.h |    9 ++-
 net/bridge/br_netfilter_hooks.c           |   68 ++++++++++++++++++++++++++++--
 net/ipv4/netfilter/arp_tables.c           |   66 ++++++++++++++++++-----------
 net/ipv4/netfilter/arptable_filter.c      |   40 ++++++++++-------
 net/ipv4/netfilter/ip_tables.c            |   63 ++++++++++++++++-----------
 net/ipv4/netfilter/iptable_filter.c       |   44 ++++++++++++-------
 net/ipv4/netfilter/iptable_mangle.c       |   41 ++++++++++++------
 net/ipv4/netfilter/iptable_nat.c          |   41 +++++++++---------
 net/ipv4/netfilter/iptable_raw.c          |   38 +++++++++++-----
 net/ipv4/netfilter/iptable_security.c     |   44 ++++++++++++-------
 net/ipv6/netfilter/ip6_tables.c           |   65 +++++++++++++++++-----------
 net/ipv6/netfilter/ip6table_filter.c      |   47 ++++++++++++--------
 net/ipv6/netfilter/ip6table_mangle.c      |   46 ++++++++++++--------
 net/ipv6/netfilter/ip6table_nat.c         |   41 +++++++++---------
 net/ipv6/netfilter/ip6table_raw.c         |   46 ++++++++++++--------
 net/ipv6/netfilter/ip6table_security.c    |   44 +++++++++++--------
 net/netfilter/x_tables.c                  |   65 +++++++++++++++++-----------
 21 files changed, 544 insertions(+), 317 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux