From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 14/22] netfilter: limit: use per-rule spinlock to improve the scalability
Date: Mon, 20 Mar 2017 11:08:42 +0100 [thread overview]
Message-ID: <1490004530-9128-15-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1490004530-9128-1-git-send-email-pablo@netfilter.org>
From: Liping Zhang <zlpnobody@gmail.com>
The limit token is independent between each rules, so there's no
need to use a global spinlock.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_limit.c | 10 +++++-----
net/netfilter/xt_limit.c | 11 ++++++-----
2 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
index c6baf412236d..18dd57a52651 100644
--- a/net/netfilter/nft_limit.c
+++ b/net/netfilter/nft_limit.c
@@ -17,9 +17,8 @@
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
-static DEFINE_SPINLOCK(limit_lock);
-
struct nft_limit {
+ spinlock_t lock;
u64 last;
u64 tokens;
u64 tokens_max;
@@ -34,7 +33,7 @@ static inline bool nft_limit_eval(struct nft_limit *limit, u64 cost)
u64 now, tokens;
s64 delta;
- spin_lock_bh(&limit_lock);
+ spin_lock_bh(&limit->lock);
now = ktime_get_ns();
tokens = limit->tokens + now - limit->last;
if (tokens > limit->tokens_max)
@@ -44,11 +43,11 @@ static inline bool nft_limit_eval(struct nft_limit *limit, u64 cost)
delta = tokens - cost;
if (delta >= 0) {
limit->tokens = delta;
- spin_unlock_bh(&limit_lock);
+ spin_unlock_bh(&limit->lock);
return limit->invert;
}
limit->tokens = tokens;
- spin_unlock_bh(&limit_lock);
+ spin_unlock_bh(&limit->lock);
return !limit->invert;
}
@@ -86,6 +85,7 @@ static int nft_limit_init(struct nft_limit *limit,
limit->invert = true;
}
limit->last = ktime_get_ns();
+ spin_lock_init(&limit->lock);
return 0;
}
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index dab962df1787..d27b5f1ea619 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -18,6 +18,7 @@
#include <linux/netfilter/xt_limit.h>
struct xt_limit_priv {
+ spinlock_t lock;
unsigned long prev;
uint32_t credit;
};
@@ -32,8 +33,6 @@ MODULE_ALIAS("ip6t_limit");
* see net/sched/sch_tbf.c in the linux source tree
*/
-static DEFINE_SPINLOCK(limit_lock);
-
/* Rusty: This is my (non-mathematically-inclined) understanding of
this algorithm. The `average rate' in jiffies becomes your initial
amount of credit `credit' and the most credit you can ever have
@@ -72,7 +71,7 @@ limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
struct xt_limit_priv *priv = r->master;
unsigned long now = jiffies;
- spin_lock_bh(&limit_lock);
+ spin_lock_bh(&priv->lock);
priv->credit += (now - xchg(&priv->prev, now)) * CREDITS_PER_JIFFY;
if (priv->credit > r->credit_cap)
priv->credit = r->credit_cap;
@@ -80,11 +79,11 @@ limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
if (priv->credit >= r->cost) {
/* We're not limited. */
priv->credit -= r->cost;
- spin_unlock_bh(&limit_lock);
+ spin_unlock_bh(&priv->lock);
return true;
}
- spin_unlock_bh(&limit_lock);
+ spin_unlock_bh(&priv->lock);
return false;
}
@@ -126,6 +125,8 @@ static int limit_mt_check(const struct xt_mtchk_param *par)
r->credit_cap = priv->credit; /* Credits full. */
r->cost = user2credits(r->avg);
}
+ spin_lock_init(&priv->lock);
+
return 0;
}
--
2.1.4
next prev parent reply other threads:[~2017-03-20 10:08 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-20 10:08 [PATCH 00/22] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 01/22] netfilter: nft_exthdr: Allow checking TCP option presence, too Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 02/22] netfilter: nft_hash: rename nft_hash to nft_jhash Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 03/22] netfilter: nft_hash: support of symmetric hash Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 04/22] netfilter: Use pr_cont where appropriate Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 05/22] netfilter: arp_tables: remove redundant check on ret being non-zero Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 06/22] netfilter: nf_tables: validate the expr explicitly after init successfully Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 07/22] netfilter: nf_tables: add nft_set_lookup() Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 08/22] netfilter: bridge: remove unneeded rcu_read_lock Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 09/22] netfilter: nf_reject: remove unused variable Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 10/22] netfilter: provide nft_ctx in object init function Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 11/22] netfilter: nft_ct: add helper set support Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 12/22] netfilter: nft_fib: Support existence check Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 13/22] netfilter: nf_conntrack: reduce resolve_normal_ct args Pablo Neira Ayuso
2017-03-20 10:08 ` Pablo Neira Ayuso [this message]
2017-03-20 10:08 ` [PATCH 15/22] netfilter: nft_set_rbtree: use per-set rwlock to improve the scalability Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 16/22] ipvs: remove an annoying printk in netns init Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 17/22] ipvs: fix sync_threshold description and add sync_refresh_period, sync_retries Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 18/22] ipvs: Document sysctl sync_qlen_max and sync_sock_size Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 19/22] ipvs: Document sysctl sync_ports Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 20/22] ipvs: Document sysctl pmtu_disc Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 21/22] netfilter: refcounter conversions Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 22/22] netfilter: fix the warning on unused refcount variable Pablo Neira Ayuso
2017-03-21 21:34 ` [PATCH 00/22] Netfilter/IPVS updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490004530-9128-15-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).