  • Accelerating netfilter with hardware offload, part 2

    As network interfaces get faster, the amount of CPU time available to process each packet becomes correspondingly smaller. The good news is that many tasks, including packet filtering, can be offloaded to the hardware itself. The bad news is that the Linux kernel required quite a bit of work to be able to take advantage of that capability. The first article in this series provided an overview of how hardware-based packet filtering can work and the support for this feature that already existed in the kernel. This series now concludes with a detailed look at how offloaded packet filtering works in the netfilter subsystem and how administrators can make use of it.

    The offload capability was added by a patch set from Pablo Neira Ayuso, merged in the kernel 5.3 release and updated thereafter. The goal of the patch set was to add support for offloading a subset of the netfilter rules in a typical configuration, thus bypassing the kernel's generic packet-handling code for packets filtered by the offloaded rules. It is not currently possible to offload all of the rules, as that would require additional support from the underlying hardware and in the netfilter code. The use case and some of the internals are mentioned in Neira's slides [PDF] from the 2019 Linux Plumbers Conference.

  • The 5.6 merge window opens

    As of this writing, 4,726 non-merge changesets have been pulled into the mainline repository for the 5.6 development cycle. That is a relatively slow start by contemporary kernel standards, but it still is enough to bring a number of new features, some of which have been pending for years, into the mainline. Read on for a summary of the changes pulled in the early part of the 5.6 merge window.

  • Cavium OCTEON Driver Support For Linux Is Coming Back From The Dead

    It looks like the Cavium/Marvell OCTEON MIPS-based processor support is being restored for Linux systems after some of its drivers were briefly removed.

    For the current Linux 5.6 cycle, some OCTEON drivers were dropped. Those drivers had been living in the kernel's staging area but fell into disrepair and with no one at the time taking over the maintenance burden, they were removed for Linux 5.6 as part of cleaning up the staging area.

