[PATCH nf-next,v2 00/14] nf_tables datapath ruleset blob and register tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

The following patchset contains v2 updates for the datapath ruleset
representation and new infrastructure to skip redundant selector store
to register operations. Patch from 1 to 7 are not updated in this v2 series.

- Patch 1 to 6, allocate stateful information via kmalloc() to prepare
  for the ruleset blob layout.

- Patch 7, adds datapath blob ruleset per chain representation, generated
  from the commit phase. This blob contains read-only ruleset data:

      size (unsigned long)
        struct nft_rule_dp
          struct nft_expr
          ...
        struct nft_rule_dp
          struct nft_expr
          ...
        struct nft_rule_dp (is_last=1)

  The new structure nft_rule_dp represents the rule in a more compact way
  (smaller memory footprint) compared to the control-plane nft_rule
  structure.

  The ruleset blob is a read-only data structure. The first field contains
  the blob size, then the rules containing expressions. There is a trailing
  rule which is used by the tracing infrastructure which is equivalent to
  the NULL rule marker in the previous representation. The blob size field
  does not include the size of this trailing rule marker.

- Patch 8, add NFT_REG32_NUM and use it (new in this series).

- Patch 9 to 12, adds register tracking infrastructure to skip redundant
  selector store operations on registers which allows to recycle existing
  data. This results in a x2 boost in performance in pure linear rulesets,
  but it also helps a bit in rulesets already heavily relying in maps.
  This infra supports for dynamic ruleset updates since the ruleset blob
  is generated from the kernel on updates.

  [ I have reworked payload+bitwise and meta+bitwise reductions to make
    them less confusing. I have also fixed a few bugs triggering an
    incorrect reduction ]

- Patch 13 and 14 cancel the register tracking for payload/meta set
  operations (new in this series).

Userspace update is needed to maximize register utilization, to allow
the nf_tables kernel side to recycle register data.

Pablo Neira Ayuso (14):
  netfilter: nft_connlimit: move stateful fields out of expression data
  netfilter: nft_last: move stateful fields out of expression data
  netfilter: nft_quota: move stateful fields out of expression data
  netfilter: nft_numgen: move stateful fields out of expression data
  netfilter: nft_limit: rename stateful structure
  netfilter: nft_limit: move stateful fields out of expression data
  netfilter: nf_tables: add rule blob layout
  netfilter: nf_tables: add NFT_REG32_NUM
  netfilter: nf_tables: add register tracking infrastructure
  netfilter: nft_payload: track register operations
  netfilter: nft_meta: track register operations
  netfilter: nft_bitwise: track register operations
  netfilter: nft_payload: cancel register tracking after payload update
  netfilter: nft_meta: cancel register tracking after meta update

 include/net/netfilter/nf_tables.h      |  40 +++++-
 net/bridge/netfilter/nft_meta_bridge.c |  20 +++
 net/netfilter/nf_tables_api.c          | 132 ++++++++++++-------
 net/netfilter/nf_tables_core.c         |  41 ++++--
 net/netfilter/nf_tables_trace.c        |   2 +-
 net/netfilter/nft_bitwise.c            |  93 +++++++++++++
 net/netfilter/nft_connlimit.c          |  26 ++--
 net/netfilter/nft_last.c               |  69 +++++++---
 net/netfilter/nft_limit.c              | 172 +++++++++++++++++--------
 net/netfilter/nft_meta.c               |  48 +++++++
 net/netfilter/nft_numgen.c             |  34 ++++-
 net/netfilter/nft_payload.c            |  51 ++++++++
 net/netfilter/nft_quota.c              |  52 +++++++-
 13 files changed, 626 insertions(+), 154 deletions(-)

-- 
2.30.2




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux