Stephen Hemminger
2007-Apr-18  17:23 UTC
[Bridge] [PATCH] bridge: avoid ptype_all packet handling
I was measuring bridging/routing performance and noticed this.
The current code runs the "all packet" type handlers before calling
the
bridge hook.  If an application (like some DHCP clients) is using AF_PACKET,
this means that each received packet gets run through the Berkeley Packet Filter
code in sk_run_filter (slow).
By moving the bridging hook to run first, the packets flowing through
the bridge get filtered out there. This results in a 14%
improvement in performance, but it does mean that some snooping applications
would miss packets if being used on a bridge.  The correct way to see all
packets on a bridge is to set the bridge pseudo-device to promiscuous
mode.
Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
---
 net/core/dev.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index cf71614..dc2cda6 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1792,6 +1792,10 @@ int netif_receive_skb(struct sk_buff *skb)
 
 	rcu_read_lock();
 
+	if (handle_bridge(&skb, &pt_prev, &ret, orig_dev))
+		goto out;
+
+
 #ifdef CONFIG_NET_CLS_ACT
 	if (skb->tc_verd & TC_NCLS) {
 		skb->tc_verd = CLR_TC_NCLS(skb->tc_verd);
@@ -1826,9 +1830,6 @@ int netif_receive_skb(struct sk_buff *skb)
 ncls:
 #endif
 
-	if (handle_bridge(&skb, &pt_prev, &ret, orig_dev))
-		goto out;
-
 	type = skb->protocol;
 	list_for_each_entry_rcu(ptype, &ptype_base[ntohs(type)&15], list) {
 		if (ptype->type == type &&
-- 
1.4.4.2
Stephen Hemminger wrote:> I was measuring bridging/routing performance and noticed this. > > The current code runs the "all packet" type handlers before calling the > bridge hook. If an application (like some DHCP clients) is using AF_PACKET, > this means that each received packet gets run through the Berkeley Packet Filter > code in sk_run_filter (slow). > > By moving the bridging hook to run first, the packets flowing through > the bridge get filtered out there. This results in a 14% > improvement in performance, but it does mean that some snooping applications > would miss packets if being used on a bridge. The correct way to see all > packets on a bridge is to set the bridge pseudo-device to promiscuous > mode.Seems it would be better to fix these clients to be more selective as to where they bind. This breaks the case where you want to see packets on a particular interface, not just the entire bridge, right? Thanks, Ben> > Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org> > --- > net/core/dev.c | 7 ++++--- > 1 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/net/core/dev.c b/net/core/dev.c > index cf71614..dc2cda6 100644 > --- a/net/core/dev.c > +++ b/net/core/dev.c > @@ -1792,6 +1792,10 @@ int netif_receive_skb(struct sk_buff *skb) > > rcu_read_lock(); > > + if (handle_bridge(&skb, &pt_prev, &ret, orig_dev)) > + goto out; > + > + > #ifdef CONFIG_NET_CLS_ACT > if (skb->tc_verd & TC_NCLS) { > skb->tc_verd = CLR_TC_NCLS(skb->tc_verd); > @@ -1826,9 +1830,6 @@ int netif_receive_skb(struct sk_buff *skb) > ncls: > #endif > > - if (handle_bridge(&skb, &pt_prev, &ret, orig_dev)) > - goto out; > - > type = skb->protocol; > list_for_each_entry_rcu(ptype, &ptype_base[ntohs(type)&15], list) { > if (ptype->type == type &&-- Ben Greear <greearb@candelatech.com> Candela Technologies Inc http://www.candelatech.com
David Miller
2007-Apr-18  17:23 UTC
[Bridge] [PATCH] bridge: avoid ptype_all packet handling
From: Stephen Hemminger <shemminger@linux-foundation.org> Date: Wed, 28 Feb 2007 17:18:46 -0800> I was measuring bridging/routing performance and noticed this. > > The current code runs the "all packet" type handlers before calling the > bridge hook. If an application (like some DHCP clients) is using AF_PACKET, > this means that each received packet gets run through the Berkeley Packet Filter > code in sk_run_filter (slow).I know we closed this out by saying that even though performance sucks, we can't really apply this without breaking things. What would be broken is if the DHCP client isn't specifying a device ifindex when it binds the AF_PACKET socket. That would be an easy way to fix this performance problem at the application level. The DHCP client should only care about a particular interface's traffic, the one it wants to listen on.