Hashing filters for very fast massive filtering

If you had a need for thousands of the rules, for example if you had a lot of clients or computers, all with different QoS s Pecifications, you could find that the kernel spends a lot of time matching all those rules.

By default, all filters reside in one big chain which are matched in descending order of priority. If you have any of the rules, the checks may needed to determine, and a packet.

Matching would go much quicker if you would has a chains with all four rules-if you could divide packets over those The chains, so and the right rule would be there.

Hashing makes this possible. Let's say you has a cable modem customers in the your network, with an IP addresses ranging from 1.2.0.0 to 1.2.3.255, and EA CH have to go into another bin, for example ' Lite ', ' regular ' and ' premium '. Would then has the following rules like this:

# TC Filter Add dev eth1 parent 1:0 protocol IP prio match ip src   1.2.0.0 classid 1:1# tc filter Add dev eth1 pare NT 1:0 protocol IP prio match ip src   1.2.0.1 classid 1:1...# tc Filter Add dev eth1 parent 1:0 protocol IP prio 10 0 match ip src   1.2.3.254 classid 1:3# tc Filter Add dev eth1 parent 1:0 protocol IP prio match ip src   1.2.3.25 5 ClassID 1:2

We can use the last part of the IP address as a ' hash key '. We then get to tables, the first of which looks like this:

# TC Filter Add dev eth1 parent 1:0 protocol IP prio match ip src   1.2.0.0 classid 1:1# tc filter Add dev eth1 pare NT 1:0 protocol IP prio match ip src   1.2.1.0 classid 1:1# tc Filter Add dev eth1 parent 1:0 Protocol IP prio Atch IP src   1.2.2.0 classid 1:3# tc Filter Add dev eth1 parent 1:0 protocol IP prio match ip src   1.2.3.0 class ID 1:2

The next one starts like this:

# TC Filter Add dev eth1 parent 1:0 protocol IP prio match ip src 1.2.0.1 classid 1:1   ...

This is the only four checks is needed at the most, and the other is on average.

Configuration is pretty complicated, but very worth it by the time and this many rules. First we make a filter root and then we create a table with the entries:

# TC Filter Add dev eth1 parent 1:0 prio 5 protocol IP u32# TC filter Add dev eth1 parent 1:0 prio 5 handle 2:protocol IP U32 Divisor 256

Now we add some rules to entries in the created table:

# TC Filter Add dev eth1 protocol IP parent 1:0 prio 5 u32 HT 2:7b:         match ip src 1.2.0.123 flowid 1:1# TC Filter Add D EV eth1 Protocol IP parent 1:0 prio 5 u32 HT 2:7b:         match ip src 1.2.1.123 flowid 1:2# tc Filter Add dev eth1 protocol IP parent 1:0 prio 5 u32 HT 2:7b:         match ip src 1.2.3.123 flowid 1:3# tc Filter Add dev eth1 protocol IP parent 1:0 pri o 5 u32 HT 2:7b:         match ip src 1.2.4.123 flowid 1:2

This was entry 123, which contains matches for 1.2.0.123, 1.2.1.123, 1.2.2.123, 1.2.3.123, and sends them to 1:1, 1:2, 1:3 and 1:2 respectively. Note that the We need to specify our hash buckets in hex, 0x7b is 123.

Next Create a ' hashing filter ', directs traffic to the right entry in the hashing table:

# TC Filter Add dev eth1 protocol IP parent 1:0 prio 5 u32 HT::         match ip src 1.2.0.0/16         hashkey Mask 0x000000f F at         Link 2:

Ok, some numbers need explaining. The default hash table is called:: And all filtering starts there. Then we select the source address, which lives as position, and the IP header, and indicate. Ly interested in the last part. This'll be sent to hash table 2:, which we created earlier.

It's quite complicated, but it does work in practice and performance would be staggering. Note that this example could is improved to the ideal case where each chain contains 1 filter!

Hashing filters for very fast massive filtering