Netdev List
 help / color / mirror / Atom feed
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Changli Gao <xiaosuo@gmail.com>,
	Patrick McHardy <kaber@trash.net>,
	"David S. Miller" <davem@davemloft.net>,
	netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
	Stephen Hemminger <shemminger@vyatta.com>
Subject: Re: [RFC PATCH] netfilter: remove the duplicate tables
Date: Fri, 19 Nov 2010 12:29:40 +0100	[thread overview]
Message-ID: <1290166180.3034.119.camel@edumazet-laptop> (raw)
In-Reply-To: <alpine.LNX.2.01.1011191210290.29394@obet.zrqbmnf.qr>

Le vendredi 19 novembre 2010 à 12:15 +0100, Jan Engelhardt a écrit :

> Was it? Quoting Patrick from 24h prior to this post:
> 
> |so patches to get rid of the table duplication are highly welcome.
> 
> >still you post a patch that needs our review and time ? This is crazy.
> 
> You do not need to do it, but I will happily look at this.
> Of course my observations are the same as yours:
> 
> >Your way of allocating a percpu counter for each counter is a pure TLB
> >and cache line blower (up to two cache lines per counter), not counting
> >the time needed to load a new table with 10.000 entries. Some people
> >still use scripts with hundred of calls to iptables.
> 
> The two are statistically independent though. Even for a loaded 
> ruleset, the TLB/DC miss accumulation will be desastrous - as I've found 
> with linked-list rules/small allocs.
> 
> >Allocating one contiguous percpu var for all counters is a must.
> >
> >Problem is : percpu alloc doesnt allow big allocations.
> >
> >#define PCPU_MIN_UNIT_SIZE      PFN_ALIGN(32 << 10)
> >
> >So max allocation is 32 Kbytes, thats 2048 'xt_counters' only.
> >-> cannot really use pcpu-alloc, but a kmalloc_node() or vmalloc_node()
> >per cpu
> 
> .. as is already done for jumpstack ;-)

IMHO, the real problem is not the table duplication. We know that adding
a level of indirection is going to hurt a lot because of cache misses.

Its the atomic op (spinlock) done for every packet, entering every
filter, with the conditional branch we do because of possible recursion.

per cpu variable, and spinlock... its really expensive.

Stephen tried an RCU conversion some time ago, that aborted because of
RCU drawbacks (too much memory was possibly waiting to be freed after a
grace period). Maybe RCU infrastructure is now ready to try again.

We should do what we did for u64 stats counters in network stack, using
the u64_stats_sync.h infrastructure. No more synchro between the threads
running through rules, and one gathering counters. Better latencies in
particular.



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  reply	other threads:[~2010-11-19 11:29 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-18 14:39 [RFC PATCH] netfilter: remove the duplicate tables Changli Gao
2010-11-18 15:43 ` Eric Dumazet
2010-11-18 23:36   ` Changli Gao
2010-11-19  6:24     ` Eric Dumazet
2010-11-19 11:15   ` Jan Engelhardt
2010-11-19 11:29     ` Eric Dumazet [this message]
2010-11-19 12:48       ` Changli Gao
2010-11-19 12:57         ` Jan Engelhardt
2010-11-19 13:03           ` Changli Gao
2010-11-19 13:11             ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1290166180.3034.119.camel@edumazet-laptop \
    --to=eric.dumazet@gmail.com \
    --cc=davem@davemloft.net \
    --cc=jengelh@medozas.de \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=shemminger@vyatta.com \
    --cc=xiaosuo@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox