Hey kernel developers, more proposals related to networking submitted for the Linux Plumbers Conference. This is the chance to have in-person discussions about future proposals like receive packet steering, RCU netfilter optimization, unified flow cache, and all those other topics that need need more brainstorming and discussion.
The Netconf 2009 is also being planned to occur before LPC.
Friday, June 5, 2009
Tuesday, February 17, 2009
Parallelizing netfilter
The Linux networking receive performance has been mostly single threaded until the advent of MSI-X and multiqueue receive hardware. Now with many cards, it is possible to be processing packets on multiple CPU's and cores at once. All this is great, and improves performance for the simple case.
But most users don't just use simple networking. They use useful features like netfilter to do firewalling, NAT, connection tracking and all other forms of wierd and wonderful things. The netfilter code has been tuned over the years, but there are still several hot locks in the receive path. Most of these are reader-writer locks which are actually the worst kind, much worse than a simple spin lock. The problem with locks on modern CPU's is that even for the uncontested case, a lock operation means a full-stop cache miss.
With the help of Eric Duzmet, Rick Jones, Martin Josefsson and others, it looks like there is a solution to most of these. I am excited to see how it all pans out but it could mean a big performance increase for any kind of netfilter packet intensive processing. Stay tuned.
But most users don't just use simple networking. They use useful features like netfilter to do firewalling, NAT, connection tracking and all other forms of wierd and wonderful things. The netfilter code has been tuned over the years, but there are still several hot locks in the receive path. Most of these are reader-writer locks which are actually the worst kind, much worse than a simple spin lock. The problem with locks on modern CPU's is that even for the uncontested case, a lock operation means a full-stop cache miss.
With the help of Eric Duzmet, Rick Jones, Martin Josefsson and others, it looks like there is a solution to most of these. I am excited to see how it all pans out but it could mean a big performance increase for any kind of netfilter packet intensive processing. Stay tuned.
Thursday, December 18, 2008
GPL violations close to home
Many times I hear about GPL violations in vendors software, especially it seems in embedded routers. There are two cases which hit me in my home.
The first is our FIOS router which is an Actionec MI424-WR which runs Linux inside. You can even get to a telnet prompt. The problem is that it has a crappy DHCP server and always seems to assign different IP addresses even to the same MAC address. This breaks ssh and other services which do strong man-in-the-middle prevention. It seem the vendor hasn't fixed the problem, but as a result of a GPL violations suit the some source is available but the DHCP code is not included probably because it is BSD licensed so they don't have to. Given this I'll just punt and do the lazy solution and just turn it into an dumb Ethernet bridge and use something better like Vyatta V514 test box or Linksys WR54TG, both of which are repairable.
The second is the Asus P6T motherboard which has a SplashVM feature. This allows booting to a lightweight desktop in less than a minute (the BIOS is still slow to get its hardware setup). The desktop is based on Linux with standard kernel and browser. It is kind of a toy, but good for checking gmail etc. Since SplashVM is using GPL, if the vendor was following the GPL license I should be able to find the source on their website. It is possible to find some pieces on the Splashtop vendor website, but it is the responsibility of the system vendor not the subcontractor to make available the source for the actual firmware they are shipping. In this case, it matters to me for a couple of reasons. I wrote the driver for the Marvell Yukon-2 EC Ultra NIC's on this motherboard and would like to know if 1) the vendor fixed some bugs 2) the vendor still has some bugs that other users will pester me about. As copyright holder for this driver, I may have to go nasty to find out; stay tuned.
The first is our FIOS router which is an Actionec MI424-WR which runs Linux inside. You can even get to a telnet prompt. The problem is that it has a crappy DHCP server and always seems to assign different IP addresses even to the same MAC address. This breaks ssh and other services which do strong man-in-the-middle prevention. It seem the vendor hasn't fixed the problem, but as a result of a GPL violations suit the some source is available but the DHCP code is not included probably because it is BSD licensed so they don't have to. Given this I'll just punt and do the lazy solution and just turn it into an dumb Ethernet bridge and use something better like Vyatta V514 test box or Linksys WR54TG, both of which are repairable.
The second is the Asus P6T motherboard which has a SplashVM feature. This allows booting to a lightweight desktop in less than a minute (the BIOS is still slow to get its hardware setup). The desktop is based on Linux with standard kernel and browser. It is kind of a toy, but good for checking gmail etc. Since SplashVM is using GPL, if the vendor was following the GPL license I should be able to find the source on their website. It is possible to find some pieces on the Splashtop vendor website, but it is the responsibility of the system vendor not the subcontractor to make available the source for the actual firmware they are shipping. In this case, it matters to me for a couple of reasons. I wrote the driver for the Marvell Yukon-2 EC Ultra NIC's on this motherboard and would like to know if 1) the vendor fixed some bugs 2) the vendor still has some bugs that other users will pester me about. As copyright holder for this driver, I may have to go nasty to find out; stay tuned.
Wednesday, October 1, 2008
Netfilter workshop day 1
At netfilter workshop, Patrick McHardy described an exciting new feature implementation of netfilter firewalling called nftables. This has the promise of reducing 100's of netfilter modules down to a smaller kernel footprint, and allow for optimization of rulesets. Eric Leblond's blog has more information.
Friday, September 12, 2008
Open Source is alive and well in PDX thank you
I really should stop reading the Oregonian, they do such a poor job of covering high tech and the business section is especially weak. The recent piece about OSCON moving to Silly Valley overlooked so many obvious things like the Linux Plumber's Conference next week, the Kernel Summit not to mention the Open Source technology center, Oracle office in Portland, Portland State, and Free Geek. So the loss of one conference which is mostly attended by out of town people is really no impact on the local open source infrastructure.
Sunday, August 31, 2008
Only aliens can configure selinux?
Sunday 8/31 user friendly cartoon is great.
Do these people look like aliens?
Guess I'll have to give up on trying to setup selinux.
Do these people look like aliens?
Guess I'll have to give up on trying to setup selinux.
Wednesday, August 27, 2008
Exploring transactional filesystems
In order to implement router style semantics, Vyatta allows setting many different configuration variables and then applying them all at once with a commit command. Currently, this is implemented by a combination of shell magic and unionfs. The problem is that keeping unionfs up to date and fixing the resulting crashes is major pain.
There must be better alternatives, current options include:
There must be better alternatives, current options include:
- Replace unionfs with aufs which has less users yelling at it and more developers.
- Use a filesystem like btrfs which has snapshots. This changes the model and makes api's like "what changed?" hard to implement.
- Move to a pure userspace model using git. The problem here is that git as currently written is meant for users not transactions.
- Use combination of copy, bind mount, and rsync.
- Use a database for configuration. This is easier for general queries but is the most work. Conversion from existing format would be a pain.
Subscribe to:
Posts (Atom)
