On Tue, Feb 20, 2018 at 05:52:54PM -0800, Alexei Starovoitov wrote: > On Tue, Feb 20, 2018 at 11:44:31AM +0100, Pablo Neira Ayuso wrote: > > > > Don't get me wrong, no software is safe from security issues, but if you > > don't abstract your resources in the right way, you have more chance to > > have experimence more problems. > > interesting point. > The key part of iptables and nft design is heavy use of indirect calls. > The execution of single iptable rule is ~3 indirect calls. > Quite a lot worse in nft where every expression is an indirect call.
That's right. Netfilter is probably too modular, probably we can revisit this to find a better balance, actually Felix Fietkau was recently rising concerns on this, specifically in environments with limited space to store the kernel image. We'll have a look, thanks for remind us about this. [...] > CPUs will eventually be fixed and IBRS_ALL will become reality. > Until then the kernel has to deal with the performance issues. Hopefully, so we can all skip these problems. Thanks.
