Hi, On Thu, Sep 3, 2020 at 7:00 AM John Fastabend <john.fastabend@xxxxxxxxx> wrote: > [...] > > I don't think it actualy improves performance at least I didn't observe > that. From the code its not clear why this would be the case either. As > a nit I would prefer that line removed from the commit message. > It hasn't been proven to be untrue either. [...] > > Do you have plans to address the performance degradation? Otherwise > if I was building some new components its unclear why we would > choose the slower option over the tc hook. The two suggested > use cases security policy and DSR sound like new features, any > reason to not just use existing infrastructure? > Unfortunately, tc is not an option as it is required to interact with nft objects (sets, maps, chains, etc), more complex than just a drop. Also, when building new features we try to maintain the application stack as simple as possible, not trying to do ugly integrations. I understand that you measure performance with a drop, but using this hook we reduce the datapath consistently for these use cases and hence, improving traffic performance. Thank you for your time!
