Re: [PATCH next] netfilter: nfqueue: batch verdict support

[Patrick McHardy <kaber@trash.net>]

Am 07.07.2011 15:45, schrieb Florian Westphal:
> Patrick McHardy <kaber@trash.net> wrote:
>> On 10.06.2011 00:14, Florian Westphal wrote:
>>> Introduces a new nfnetlink type that applies a given
>>> verdict to all queued packets with an id <= the id in the verdict
>>> message.
>>>
>>> If a mark is provided it is applied to all matched packets.
>>>
>>> This reduces the number of verdicts that have to be sent.
>>> Applications that make use of this feature need to maintain
>>> a timeout to send a batchverdict periodically to avoid starvation.
>>
>> Thanks Florian. Do you have any throughput numbers with this patch?
> 
> I re-ran some tests via lo, with Eric Dumazets
> "netfilter: nfqueue: assert monotonic packet ids" patch applied on top of
> a 2.6.39.2 kernel.
> 
> With "one accept per packet", the rest program needs
> about two minutes to process 10000000 1024-Byte udp packets
> sent via lo (queueing via
> -t mangle -I INPUT -i lo -p udp -m udp --dport 6666 -j NFQUEUE --queue-num 0
> ; no other queueing rules active)
> 
> When sending batch accept verdicts for every tenth packet received,
> run time was reduced to about 72 seconds.
> 
> I ran this several times and the results were similar.

Thanks, that sounds pretty promising.

> Just to be sure I also tried with the Erics RCU patch applied but I
> did not see any changes (not surprising because nfnl_mutex should
> not cause contention in the "single queue" case).

I'll have another look at this patch later. As I wrote, I'm unsure
whether we want to do a full move to RCU because of ctnetlink, but
the optional RCU callbacks seem fine for now.