netfilter-devel April 2010 archive
Main Archive Page > Month Archives  > netfilter-devel archives
netfilter-devel: Re: Network Acceleration Module vs Service

Re: Network Acceleration Module vs Service

From: Jan Engelhardt <jengelh_at_nospam>
Date: Fri Apr 02 2010 - 11:23:11 GMT
To: Justin Yaple <>

On Friday 2010-04-02 02:16, Justin Yaple wrote:
>I have been working on a network accelerator, [...]
>Currently it can only compress/decompress the data field of the TCP

So, what makes it better than ipcomp?

>I want to add the ability for it to generate signatures for
>common data patterns, and then substitute the signature in place of
>that data pattern. The other accelerator host would the reverse that
>and replace the signature with the actual data pattern.

That is essentially the definition of coding/compression,
which you already seem to have (minus one change that you don't
throw away the dictionary).

>I am a little worried about the performance of the system overall
>assuming the only option is to move the majority of this to a user
>space service I would need to rewrite the module portion to QUEUE the
>packets to user space. This might severely effect performance of the
>system in the number of packets per second that can be processed.
>Given that it could be doing database queries, and substituting TCP
>data for a signature or compressing the data the time it takes to move
>a packet from kernel to user space and back might be negligible.

If it is not the case already, devise a mechanism so that userspace gathers
multiple nfqueued packets at once instead of one-at-a-time.
 - multi-threading the userspace process might be worth looking into
 - using NFQUEUE to deliver into separate queues per CPU
   (so that one CPU does not have to wait for the lock of another)
-- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to More majordomo info at