Netdev List
 help / color / mirror / Atom feed
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Changli Gao <xiaosuo@gmail.com>
Cc: Patrick McHardy <kaber@trash.net>,
	"David S. Miller" <davem@davemloft.net>,
	netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [RFC PATCH] netfilter: remove the duplicate tables
Date: Thu, 18 Nov 2010 16:43:40 +0100	[thread overview]
Message-ID: <1290095020.2781.203.camel@edumazet-laptop> (raw)
In-Reply-To: <1290091194-1590-1-git-send-email-xiaosuo@gmail.com>

Le jeudi 18 novembre 2010 à 22:39 +0800, Changli Gao a écrit :
> As only xt_counters are private to each CPU, we don't need to maintain
> a whole individual table for each CPU.
> 
> In the kernel space, we use the memory of ipt_entry.counters to save a
> pointer to a percpu xt_counters. When iptables runs, it only update the
> counters on its own CPU.
> 
> On non SMP platforms, no change is made.
> 
> Only the code of iptables is converted. Thanks for reviews.
> 

Changli

I answered you a (difficult) work was in progress, still you post a
patch that needs our review and time ? This is crazy.

I am tempted to stop here. Oh well...

Your way of allocating a percpu counter for each counter is a pure TLB
and cache line blower (up to two cache lines per counter), not counting
the time needed to load a new table with 10.000 entries. Some people
still use scripts with hundred of calls to iptables.

percpu_alloc() is not meant to be used thousand of times per second. It
is not scalable.

You consume 16 bytes per counter in the main table, while 4 bytes index
should be enough on SMP build. Most firewalls I know use two or four
cpus at most.

They care about speed, not really because iptables duplicates table on
each cpu. By the way, not using NUMA can definitly hurt firewalls with
many rules, unless you make sure the main table is vmalloced() with node
distribution, not a single node. Even with this, this can hurt
latencies.

Allocating one contiguous percpu var for all counters is a must.

Problem is : percpu alloc doesnt allow big allocations.

#define PCPU_MIN_UNIT_SIZE      PFN_ALIGN(32 << 10)

So max allocation is 32 Kbytes, thats 2048 'xt_counters' only.
-> cannot really use pcpu-alloc, but a kmalloc_node() or vmalloc_node()
per cpu



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  reply	other threads:[~2010-11-18 15:43 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-18 14:39 [RFC PATCH] netfilter: remove the duplicate tables Changli Gao
2010-11-18 15:43 ` Eric Dumazet [this message]
2010-11-18 23:36   ` Changli Gao
2010-11-19  6:24     ` Eric Dumazet
2010-11-19 11:15   ` Jan Engelhardt
2010-11-19 11:29     ` Eric Dumazet
2010-11-19 12:48       ` Changli Gao
2010-11-19 12:57         ` Jan Engelhardt
2010-11-19 13:03           ` Changli Gao
2010-11-19 13:11             ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1290095020.2781.203.camel@edumazet-laptop \
    --to=eric.dumazet@gmail.com \
    --cc=davem@davemloft.net \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=xiaosuo@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox