On Wed, Jul 27, 2011 at 11:14 AM, Ethan Jackson <[email protected]> wrote: >> One strategy that I have considered is to be able to ask only for flows >> that have a non-zero packet count. That would help with the common case >> where, when there is a large number of flows, they are caused by a port >> scan or some other activity with 1-packet flows. It wouldn't help at >> all in your case. > > You could also have the kernel pass down to userspace what logically > amounts to a list of the flows which have had their statistics change > in the past 10 seconds. A bloom filter would be a sensible approach. > Again, probably won't help at all in Simon's case, and may or may-not > be a useful optimization above simply not pushing down statistics for > flows which have a zero packet count.
I don't think that you could implement a Bloom filter like this in a manner that wouldn't cause cache contention. Probably you would still need to iterate over every flow in the kernel, you would just be comparing last used time to current time - 10 instead of packet count not equal to zero. To me, optimizing for port scans doesn't seem like a particularly common or useful case and I don't think this will help all that much in an attack scenario. Ethan's suggestion would also help with aging but it's still O(n) and then userspace has to do a diff of the flows to know which ones to evict. _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
