From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 08/10] netfilter: ipset: Introduce RCU in all set types instead of rwlock per set
Date: Wed, 26 Nov 2014 14:14:34 +0100 [thread overview]
Message-ID: <20141126131434.GA1671@salvia> (raw)
In-Reply-To: <1416862012-31139-9-git-send-email-kadlec@blackhole.kfki.hu>
On Mon, Nov 24, 2014 at 09:46:50PM +0100, Jozsef Kadlecsik wrote:
> Performance is tested by Jesper Dangaard Brouer:
>
> Simple drop in FORWARD
> ~~~~~~~~~~~~~~~~~~~~
>
> Dropping via simple iptables net-mask match::
>
> iptables -t raw -N simple || iptables -t raw -F simple
> iptables -t raw -I simple -s 198.18.0.0/15 -j DROP
> iptables -t raw -D PREROUTING -j simple
> iptables -t raw -I PREROUTING -j simple
>
> Drop performance in "raw": 11.3Mpps
>
> Generator: sending 12.2Mpps (tx:12264083 pps)
>
> Drop via original ipset in RAW table
> ~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Create a set with lots of elements::
> sudo ./ipset destroy test
> echo "create test hash:ip hashsize 65536" > test.set
> for x in `seq 0 255`; do
> for y in `seq 0 255`; do
> echo "add test 198.18.$x.$y" >> test.set
> done
> done
> sudo ./ipset restore < test.set
>
> Dropping via ipset::
>
> iptables -t raw -F
> iptables -t raw -N net198 || iptables -t raw -F net198
> iptables -t raw -I net198 -m set --match-set test src -j DROP
> iptables -t raw -I PREROUTING -j net198
>
> Drop performance in "raw" with ipset: 8Mpps
>
> Perf report numbers ipset drop in "raw"::
>
> + 24.65% ksoftirqd/1 [ip_set] [k] ip_set_test
> - 21.42% ksoftirqd/1 [kernel.kallsyms] [k] _raw_read_lock_bh
> - _raw_read_lock_bh
> + 99.88% ip_set_test
> - 19.42% ksoftirqd/1 [kernel.kallsyms] [k] _raw_read_unlock_bh
> - _raw_read_unlock_bh
> + 99.72% ip_set_test
> + 4.31% ksoftirqd/1 [ip_set_hash_ip] [k] hash_ip4_kadt
> + 2.27% ksoftirqd/1 [ixgbe] [k] ixgbe_fetch_rx_buffer
> + 2.18% ksoftirqd/1 [ip_tables] [k] ipt_do_table
> + 1.81% ksoftirqd/1 [ip_set_hash_ip] [k] hash_ip4_test
> + 1.61% ksoftirqd/1 [kernel.kallsyms] [k] __netif_receive_skb_core
> + 1.44% ksoftirqd/1 [kernel.kallsyms] [k] build_skb
> + 1.42% ksoftirqd/1 [kernel.kallsyms] [k] ip_rcv
> + 1.36% ksoftirqd/1 [kernel.kallsyms] [k] __local_bh_enable_ip
> + 1.16% ksoftirqd/1 [kernel.kallsyms] [k] dev_gro_receive
> + 1.09% ksoftirqd/1 [kernel.kallsyms] [k] __rcu_read_unlock
> + 0.96% ksoftirqd/1 [ixgbe] [k] ixgbe_clean_rx_irq
> + 0.95% ksoftirqd/1 [kernel.kallsyms] [k] __netdev_alloc_frag
> + 0.88% ksoftirqd/1 [kernel.kallsyms] [k] kmem_cache_alloc
> + 0.87% ksoftirqd/1 [xt_set] [k] set_match_v3
> + 0.85% ksoftirqd/1 [kernel.kallsyms] [k] inet_gro_receive
> + 0.83% ksoftirqd/1 [kernel.kallsyms] [k] nf_iterate
> + 0.76% ksoftirqd/1 [kernel.kallsyms] [k] put_compound_page
> + 0.75% ksoftirqd/1 [kernel.kallsyms] [k] __rcu_read_lock
>
> Drop via ipset in RAW table with RCU-locking
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> With RCU locking, the RW-lock is gone.
>
> Drop performance in "raw" with ipset with RCU-locking: 11.3Mpps
>
> Performance-tested-by: Jesper Dangaard Brouer <brouer@redhat.com>
> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> ---
> include/linux/netfilter/ipset/ip_set.h | 82 +++-
> include/linux/netfilter/ipset/ip_set_timeout.h | 39 +-
> net/netfilter/ipset/ip_set_bitmap_gen.h | 8 +-
> net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
> net/netfilter/ipset/ip_set_core.c | 35 +-
> net/netfilter/ipset/ip_set_hash_gen.h | 547 +++++++++++++++----------
> net/netfilter/ipset/ip_set_list_set.c | 386 ++++++++---------
> 7 files changed, 614 insertions(+), 485 deletions(-)
>
> diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
> index f1606fa..418d360 100644
> --- a/include/linux/netfilter/ipset/ip_set.h
> +++ b/include/linux/netfilter/ipset/ip_set.h
> @@ -113,10 +113,10 @@ struct ip_set_comment {
> };
>
> struct ip_set_skbinfo {
> - u32 skbmark;
> - u32 skbmarkmask;
> - u32 skbprio;
> - u16 skbqueue;
> + u32 __rcu skbmark;
> + u32 __rcu skbmarkmask;
> + u32 __rcu skbprio;
> + u16 __rcu skbqueue;
> };
>
> struct ip_set;
> @@ -223,7 +223,7 @@ struct ip_set {
> /* The name of the set */
> char name[IPSET_MAXNAMELEN];
> /* Lock protecting the set data */
> - rwlock_t lock;
> + spinlock_t lock;
> /* References to the set */
> u32 ref;
> /* The core set type */
> @@ -322,30 +322,72 @@ ip_set_update_counter(struct ip_set_counter *counter,
> }
> }
>
> +/* RCU-safe assign value */
> +#define IP_SET_RCU_ASSIGN(ptr, value) \
> +do { \
> + smp_wmb(); \
> + *(ptr) = value; \
> +} while (0)
> +
> +static inline void
> +ip_set_rcu_assign_ulong(unsigned long *v, unsigned long value)
> +{
> + IP_SET_RCU_ASSIGN(v, value);
> +}
> +
> +static inline void
> +ip_set_rcu_assign_u32(u32 *v, u32 value)
> +{
> + IP_SET_RCU_ASSIGN(v, value);
> +}
> +
> +static inline void
> +ip_set_rcu_assign_u16(u16 *v, u16 value)
> +{
> + IP_SET_RCU_ASSIGN(v, value);
> +}
> +
> +static inline void
> +ip_set_rcu_assign_u8(u8 *v, u8 value)
> +{
> + IP_SET_RCU_ASSIGN(v, value);
> +}
No questions regarding numbers, but I would like to see some
explanation on the RCU approach that you're implementing in this
patch. Thanks.
next prev parent reply other threads:[~2014-11-26 13:12 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-24 20:46 [PATCH 00/10] ipset patches for nf-next Jozsef Kadlecsik
2014-11-24 20:46 ` [PATCH 01/10] netfilter: ipset: Support updating extensions when the set is full Jozsef Kadlecsik
2014-11-24 20:46 ` [PATCH 02/10] netfilter: ipset: Alignment problem between 64bit kernel 32bit userspace Jozsef Kadlecsik
2014-11-24 20:46 ` [PATCH 03/10] netfilter: ipset: Indicate when /0 networks are supported Jozsef Kadlecsik
2014-11-24 20:46 ` [PATCH 04/10] netfilter: ipset: Simplify cidr handling for hash:*net* types Jozsef Kadlecsik
2014-11-24 20:46 ` [PATCH 05/10] netfilter: ipset: Allocate the proper size of memory when /0 networks are supported Jozsef Kadlecsik
2014-11-24 20:46 ` [PATCH 06/10] netfilter: ipset: Explicitly add padding elements to hash:net,net and hash:net,port,net Jozsef Kadlecsik
2014-11-24 20:46 ` [PATCH 07/10] netfilter: ipset: Remove rbtree from hash:net,iface in order to run under RCU Jozsef Kadlecsik
2014-11-24 20:46 ` [PATCH 08/10] netfilter: ipset: Introduce RCU in all set types instead of rwlock per set Jozsef Kadlecsik
2014-11-26 13:14 ` Pablo Neira Ayuso [this message]
2014-11-26 14:58 ` Jozsef Kadlecsik
2014-11-26 15:41 ` Florian Westphal
2014-11-26 16:01 ` Jozsef Kadlecsik
2014-11-26 17:18 ` Pablo Neira Ayuso
2014-11-27 8:23 ` Jozsef Kadlecsik
2014-11-24 20:46 ` [PATCH 09/10] netfilter: ipset: styles warned by checkpatch.pl fixed Jozsef Kadlecsik
2014-11-24 20:46 ` [PATCH 10/10] netfilter: ipset: Fix parallel resizing and listing of the same set Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141126131434.GA1671@salvia \
--to=pablo@netfilter.org \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.