From: "John Ye" <johny@asimco.com.cn>
To: <netfilter-devel@vger.kernel.org>
Cc: " john ye" <johny@asimco.com.cn>, "YE QY" <iceburgue@gmail.com>
Subject: remarkably Increase iptables' speed on SMP system.
Date: Fri, 28 Sep 2007 10:15:34 +0800 [thread overview]
Message-ID: <00de01c80175$7402ef90$ca8510ac@asimco> (raw)
All,
Iptables can't make full use of SMP because it runs in softirq.
There are many reports or complains saying that when netfilter runs, only one or two CPUs are busy doing softirq while others are
idle. see http://www.ussg.iu.edu/hypermail/linux/kernel/0702.0/1833.html, you can find many of these reports by googleING 'iptables
SMP sofitrq'.
This situation becomes especially worse when iptables' load is high, for example, when there are too many rules to match or there
are too many connections to track.
irqbalance looks like resolving this problem, but it does NOT. Balancing irq among CPUs doesn't mean to take full advantages of SMP
in any sense, periodically shifting NIC irq among CPUs can't gain extra processing speed(Because CPUs are not concurrently run in
softirq), when irq is shifted from CPU0 to CPU1, the CPU1 is busy, CPU0 becomes idle.
Linux network irq handling code tends to collect same irqs on different CPUs into one CPU when NIC is busy.
This tendency will make irqblance not work well. After running iptables for some time, the originally balanced irq may become
unbalanced. And, even if irqbalance works well, iptalbes' processing capacity doesn't go up.
There is a kernel patch to let softirq network code(iptables included in) concurrently run on every CPUs on SMP system.
We wrote the kernel patch, a loadable module as well, to totally resolve iptables SMP issue.
Have discussed with kernel netdev experts. it should be working.
The patch(module) will greatly increase the speed of iptalbes by making full use of every CPUs in SMP system.
It can be viewed and downloaded from blog http://blog.chinaunix.net/u/12848/showart.php?id=389602
You are welcome to review and test without patching and re-compiling the kerenl.
Thanks.
John Ye & Qianyu Ye
next reply other threads:[~2007-09-28 2:29 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-28 2:15 John Ye [this message]
2007-09-28 12:18 ` remarkably Increase iptables' speed on SMP system Amin Azez
2007-09-28 13:29 ` Henrik Nordstrom
2007-09-28 16:01 ` Rennie deGraaf
2007-09-29 9:52 ` John Ye
2007-10-01 7:21 ` john ye
2007-10-01 12:10 ` john ye
2007-10-08 12:04 ` john ye
2007-10-08 16:40 ` Patrick McHardy
2007-10-10 1:48 ` John Ye
2007-09-28 13:52 ` Jan Engelhardt
[not found] <001201c80298$3509ac10$0201a8c0@ibmea4709fd199>
2007-09-29 13:23 ` john ye
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='00de01c80175$7402ef90$ca8510ac@asimco' \
--to=johny@asimco.com.cn \
--cc=iceburgue@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).