Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reorder early state dispatch for quicker outcome #22

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Reorder early state dispatch for quicker outcome #22

wants to merge 8 commits into from

Conversation

brada4
Copy link

@brada4 brada4 commented Feb 28, 2024
edited
Loading

locate offload at the end of slowpath
... use builtin tcpudp filter in place of extra filter ... and directly yield to offload-add kworker

drop invalid asap and avoid further activity on useless packets ... which accidentally simplifies main state dispatch ... so make use of optimized output chain dispatch alternatives depending on global setting

Thanks-to: @CallMeR for tcpudp filter avoidance idea
Thanks-to: forum user kvic for detailed review and suggestions
Discussed: #20
Part-reverts: 19a8caf

Signed-Off-By: Andris PE neandris@gmail.com

Reorder early state dispatch for quicker outcome
f7f39de 
locate offload at the end of slowpath
... use builtin tcpudp filter in place of extra filter
... and directly yield to offload-add kworker

drop invalid asap and avoid further activity on useless packets
... which accidentally simplifies main state dispatch
... so make use of optimized dispatch alternatives depending on global settings

Thanks-to: @CallMeR for tcpudp filter avoidance idea
Discussed: openwrt#20

Signed-Off-By: Andris PE <neandris@hmail.com>
@brada4
Copy link
Author

brada4 commented Feb 28, 2024

@jow- diff is identical to #20 , share if any (non-revolutionary) changes can improve it.
Diff visualisation misses logic change:
old:
filter.forward
if offload add flow
dispatch states
new:
filter.forward
if offload
dispatch states diverting to offload chain
else
dispatch states

@brada4
Copy link
Author

brada4 commented Feb 29, 2024

Dropping invalid packets over localhost would be swapping iif lo and ct state in output along removing iif != in new prerouting. I dont feel either way, so I maintained behaviour exactly.

Andris PE added 2 commits March 2, 2024 11:45
Characterize rule workings better
4647530 
As in old days, guilty not having idea on splitting state handling
earlier.
Reduce default weight.
c3b6b68 
No need to consume CPU in default case for unrealistic corner case.
loopback invalid thus better dropped at ease.

Signed-off-by: Andris PE <neandris@gmail.com>
@brada4
Copy link
Author

brada4 commented Jun 3, 2024

@jow- this alters semantics for improved safety discarding invalid (out of state and bad checksum) packets before nat alg helpers.

Stay with vmapized versions
a625924 
firstly netfilter doc now has only vmap-y dispatch examples
secondly vmap includes "immediate" action in itself, as opposed to
setting bool in lookup and in separate bytecode insnis doing immediate or full action.
@brada4
Copy link
Author

brada4 commented Jun 6, 2024

@jow- made it vmap, netfilters own examples now has vmaps everywhere....

  • drop invalid early
  • change comments (not meant to obfuscate change)
  • use whole output lines in place of string concatenation, just to avoid superlong lines in code
  • add offload hash on first qualifying packet, not second, so that second packet is already offloaded.
    new connection -> first ack after synack sets hash (used to only set "assured" state and hash set at next packet)
    timer retirement -> hash is restored after mandatory slowpath (it is just state dispatch, not the full filter) for certain, not tried before mandatory slowpath traversal

Andris PE added 4 commits June 8, 2024 14:30
Offloading can also happen when ramips hw offload rejects on ICMP3
786ea40 
Additionally since jump target is terminal no need to preserve callaback
and use goto in place of jump.
Cosmetic fix - use readback/kernel.org syntax ipo nftables wiki
d4d7578 
Suggested by forums user kvic in
https://forum.openwrt.org/t/first-rule-in-chain-input-output-for-firewall4/204723
Replace vmap with bitmask match ct state
5dc4d82 
Suggested by forum user kvic at
https://forum.openwrt.org/t/first-rule-in-chain-input-output-for-firewall4/204723

Average latency is same, the jitter/distribution is halved, also max
latency conclusively reduced.
Parse states before (quick) loopback accept
fe27543 
Suggested at
https://forum.openwrt.org/t/first-rule-in-chain-input-output-for-firewall4/204723
Formally speeds up "default" nat function over loopback ipc.
@brada4
Copy link
Author

brada4 commented Jul 24, 2024

@jow- hi, got nice pro feedback at https://forum.openwrt.org/t/first-rule-in-chain-input-output-for-firewall4/204723 and implemented best parts, 1 cosmetic 2 improves NAT performance by dozen hairs

@brada4
Copy link
Author

brada4 commented Jul 25, 2024

Also discovered that this adds easy flowtable exception via /e/n.d/ for more fifo-ish behaviour (still to dig up test case)

@jow-
Copy link
Contributor

jow- commented Jul 25, 2024

Should this PR drop commit a625924 since it is partially reverted in 5dc4d82 ?

@brada4
Copy link
Author

brada4 commented Jul 25, 2024

No, it should sray like this short simple.
1k evaluations on a pc totals to about same 7.abit ms for either but vmap version has broader deviation not explainable by any significant cpu consumption or absent in case network load.

@brada4
Copy link
Author

brada4 commented Jul 30, 2024

Yes, default configuration is revert (2 rules swapped tough)

@brada4 brada4 mentioned this pull request Dec 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brada4 @jow-