From: Florian Westphal <f...@strlen.de> Date: Tue, 13 Mar 2018 14:41:39 +0100
> David Miller <da...@davemloft.net> wrote: >> From: Felix Fietkau <n...@nbd.name> >> Date: Mon, 12 Mar 2018 20:30:01 +0100 >> >> > It's not dead and useless. In its current state, it has a software fast >> > path that significantly improves nftables routing/NAT throughput, >> > especially on embedded devices. >> > On some devices, I've seen "only" 20% throughput improvement (along with >> > CPU usage reduction), on others it's quite a bit lot more. This is >> > without any extra drivers or patches aside from what's posted. >> >> I wonder if this software fast path has the exploitability problems that >> things like the ipv4 routing cache and the per-cpu flow cache both had. > > No, entries in the flow table are backed by an entry in the conntrack > table, and that has an upper ceiling. > > As decision of when an entry gets placed into the flow table is > configureable via ruleset (nftables, iptables will be coming too), one > can tie the 'fastpathing' to almost-arbitrary criterion, e.g. > > 'only flows from trusted internal network' > 'only flows that saw two-way communication' > 'only flows that sent more than 100kbyte' > > or any combination thereof. > > Do you see another problem that needs to be addressed? Ok, that seems to constrain the exposure. We should talk at some point about how exposed conntrack itself is.