On Wed, 25 Sep 2002 15:52:46 -0700 (PDT)
"David S. Miller" <davem@redhat.com> wrote:
> We have to do the route lookup anyways, if it got you to the packet
> filtering tables (or ipsec encap information, or TCP socket, etc etc)
> as a side effect, lots of netfilter becomes superfluous because all it
> is doing is maintaining these lookup tables etc. which is what you are
> optimizing.
Indeed. Note that netfilter infrastructure had this from the beginning, but
it sits unused (skb->nf_cache), awaiting someone to get enthusiastic.
There are three real issues:
1) You need a way to say "too hard, don't cache this". We have
NFC_UNKNOWN (I looked at some packet field you don't have a bit for)
and NFC_UNCACHABLE (give me every packet dammit!).
2) You need a sane "selective flush" mechanism for timeouts and rule changes
(eg. connection tracking and nat).
3) If you want to keep counters in the subsystems (eg. iptables keeps packet
and byte counters at the moment for every rule because it's easy). You
need to keep this info in your route cache, then call the subsystems when
you evict something from the cache.
Cheers!
Rusty.
-- there are those who do and those who hang on and you don't see too many doers quoting their contemporaries. -- Larry McVoy - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Sep 30 2002 - 22:00:25 EST