On Wed, Feb 20, 2002 at 11:47:57AM -0800, ravi c wrote: > Linearizing skbs in netfilter code is a big jolt on > the non-linear skb code path, > which is inverting very effort of avoiding the copy > even though such packets does > not requires any conntracking, nating, or, pkt > filtering.
Well, currently you have the following options a) disable netfilter support - no unwanted linearization of skb's b) enable netfilter support - unwanted linearization of skb's Even if nf_hook_slow wouldn't liearize itself, the individual modules (ip_conntrack, iptable_filter, ...) would do linearization of skb's. So even if we moved the linearization code into the individual netfilter modules, it would not make any difference. The difference would be _only_ if you use some non-standard contributed netfilter module which can deal with nonlinear skb's. > Our intention is to use iptables for WCCP-enabled (Web Cache Control > Protocol) transparent traffic while other apps using zero-copy path. In other > words, if we are running apps which use zero-copy path and apps which use > iptables then zero-copy apps gets performance hit. One such case is that like > we have a WCCP-enabled cache which uses iptable support to translate inbound > and outbound connections and the traffic needs ip conn tracking system. We > also use zero-copy code path for other apps which do not require any iptable > support nor connection tracking nor other proxy support. The traffic is > getting a big performance hit because we enabled iptables support. Well, but even the patch wouldn't bring any advantage as the conntrcak code needs to linearize again ... > How much effort it takes to move skb_linearize to > netfilter modules atleast to > conntrack,nat and pkt filtering? well just moving the code into the modules doesn't give any performance gain. The whole code needs to be reviewed and > One question I have here is that As they are coded, don't netfilter modules > (conntrack,NAT,pkt filter) works with non-linear skbs as, it has all the > required IP/TCP/UDP/EE header in skb? first, even a non-linear skb isn't granted to have the full header within the first segment. IIRC, DaveM has already pointed that out. > Why do netfilter modules need to care whether skb is linear or non-linear > except the one which tries to use application data and if, is there one > module which uses app data? There are. All connection tracking + NAT helper modules. Also more experimental stuff like the string match. And if the full ip+tcp header (including tcp options, etc.) is not present in the first segment, we still need to linearize. Yes, there is some room for optimization - but maybe not as much as you hope. It's on our TODO list. > Ravi -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
