In message <Pine.GSO.4.30.0207290648020.12604-100000@xxxxxxxxxxxxxxxx> you writ
e:
> > Connection tracking:
>
> Fix perfomance problems with this thing. You may have seen reports of
> performance degradation it introduces. I was hoping to take a look at some
> point time hasnt been visiting this side.
There are several simple things to do here. One is to improve the
hashing (fine for internet traffic, but frequently sucks under LAN
conditions), which is easy. The other is to modify the
one-timer-per-connection approach to a "sweep once a second, or when
full" approach.
Both these are simple patches, but I want to see benchmarks showing
that they improve things.
> > iptables:
> > o Change over to a netlink interface
> > o Back to add/delete/replace interface + commit.
> > o Rewrite libiptc to use netlink (to port iptables).
>
> I hope this resolves the current scheme where the whole
> add/delete/replace interface + commit happens in user space?
> If you use netlink it would make sense to do incremental updates to the
> kernel.
Yes, that's exactly the plan. It'd be more like the old-style
insert/delete (probably not replace), except with a "commit"
interface, implemented by copying the rules when they start modifying.
Hope that helps,
Rusty.
--
Anyone who quotes me in their sig is an idiot. -- Rusty Russell.
|