Re: [PATCH v4 nf-next 0/2] netfilter: x_tables: speed up iptables-restore

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v4 nf-next 0/2] netfilter: x_tables: speed up iptables-restore
Date: Tue, 24 Oct 2017 18:04:17 +0200	[thread overview]
Message-ID: <20171024160417.GA12134@salvia> (raw)
In-Reply-To: <20171011231351.8517-1-fw@strlen.de>

On Thu, Oct 12, 2017 at 01:13:49AM +0200, Florian Westphal wrote:
> iptables-restore can take quite a long time when sytem is busy, in order
> of half a minute or more.
> 
> The main reason for this is the way ip(6)tables performs table swap:
> 
> When xt_replace_table assigns the new ruleset pointer, it does
> not wait for other processors to finish with old ruleset.
> 
> Instead it relies on the counter sequence lock in get_counters().
> 
> This works but this is costly if system is busy as each counter read
> operation can possibly be restarted indefinitely.
> 
> Instead, make xt_replace_table wait until all processors are known to not
> use the old ruleset anymore.
> 
> This allows to read the old counters without any locking, no cpu is
> using the ruleset anymore so counters can't change either.

Series applied, thanks.

     prev parent reply	other threads:[~2017-10-24 16:04 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-11 23:13 [PATCH v4 nf-next 0/2] netfilter: x_tables: speed up iptables-restore Florian Westphal
2017-10-11 23:13 ` [PATCH nf-next v4 1/2] netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore Florian Westphal
2017-10-11 23:13 ` [PATCH nf-next v4 2/2] netfilter: x_tables: don't use seqlock when fetching old counters Florian Westphal
2017-10-24 16:04 ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171024160417.GA12134@salvia \
    --to=pablo@netfilter.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.