From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 11/14] netfilter: ipset: Introduce RCU locking in the hash types
Date: Tue, 2 Dec 2014 19:40:12 +0100 [thread overview]
Message-ID: <20141202184012.GD4504@salvia> (raw)
In-Reply-To: <1417373825-3734-12-git-send-email-kadlec@blackhole.kfki.hu>
On Sun, Nov 30, 2014 at 07:57:02PM +0100, Jozsef Kadlecsik wrote:
> Performance is tested by Jesper Dangaard Brouer:
>
> Simple drop in FORWARD
> ~~~~~~~~~~~~~~~~~~~~
>
> Dropping via simple iptables net-mask match::
>
> iptables -t raw -N simple || iptables -t raw -F simple
> iptables -t raw -I simple -s 198.18.0.0/15 -j DROP
> iptables -t raw -D PREROUTING -j simple
> iptables -t raw -I PREROUTING -j simple
>
> Drop performance in "raw": 11.3Mpps
>
> Generator: sending 12.2Mpps (tx:12264083 pps)
>
> Drop via original ipset in RAW table
> ~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Create a set with lots of elements::
> sudo ./ipset destroy test
> echo "create test hash:ip hashsize 65536" > test.set
> for x in `seq 0 255`; do
> for y in `seq 0 255`; do
> echo "add test 198.18.$x.$y" >> test.set
> done
> done
> sudo ./ipset restore < test.set
>
> Dropping via ipset::
>
> iptables -t raw -F
> iptables -t raw -N net198 || iptables -t raw -F net198
> iptables -t raw -I net198 -m set --match-set test src -j DROP
> iptables -t raw -I PREROUTING -j net198
>
> Drop performance in "raw" with ipset: 8Mpps
>
> Perf report numbers ipset drop in "raw"::
>
> + 24.65% ksoftirqd/1 [ip_set] [k] ip_set_test
> - 21.42% ksoftirqd/1 [kernel.kallsyms] [k] _raw_read_lock_bh
> - _raw_read_lock_bh
> + 99.88% ip_set_test
> - 19.42% ksoftirqd/1 [kernel.kallsyms] [k] _raw_read_unlock_bh
> - _raw_read_unlock_bh
> + 99.72% ip_set_test
> + 4.31% ksoftirqd/1 [ip_set_hash_ip] [k] hash_ip4_kadt
> + 2.27% ksoftirqd/1 [ixgbe] [k] ixgbe_fetch_rx_buffer
> + 2.18% ksoftirqd/1 [ip_tables] [k] ipt_do_table
> + 1.81% ksoftirqd/1 [ip_set_hash_ip] [k] hash_ip4_test
> + 1.61% ksoftirqd/1 [kernel.kallsyms] [k] __netif_receive_skb_core
> + 1.44% ksoftirqd/1 [kernel.kallsyms] [k] build_skb
> + 1.42% ksoftirqd/1 [kernel.kallsyms] [k] ip_rcv
> + 1.36% ksoftirqd/1 [kernel.kallsyms] [k] __local_bh_enable_ip
> + 1.16% ksoftirqd/1 [kernel.kallsyms] [k] dev_gro_receive
> + 1.09% ksoftirqd/1 [kernel.kallsyms] [k] __rcu_read_unlock
> + 0.96% ksoftirqd/1 [ixgbe] [k] ixgbe_clean_rx_irq
> + 0.95% ksoftirqd/1 [kernel.kallsyms] [k] __netdev_alloc_frag
> + 0.88% ksoftirqd/1 [kernel.kallsyms] [k] kmem_cache_alloc
> + 0.87% ksoftirqd/1 [xt_set] [k] set_match_v3
> + 0.85% ksoftirqd/1 [kernel.kallsyms] [k] inet_gro_receive
> + 0.83% ksoftirqd/1 [kernel.kallsyms] [k] nf_iterate
> + 0.76% ksoftirqd/1 [kernel.kallsyms] [k] put_compound_page
> + 0.75% ksoftirqd/1 [kernel.kallsyms] [k] __rcu_read_lock
>
> Drop via ipset in RAW table with RCU-locking
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> With RCU locking, the RW-lock is gone.
>
> Drop performance in "raw" with ipset with RCU-locking: 11.3Mpps
>
> Performance-tested-by: Jesper Dangaard Brouer <brouer@redhat.com>
> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> ---
> net/netfilter/ipset/ip_set_hash_gen.h | 580 ++++++++++++++++++++--------------
> 1 file changed, 344 insertions(+), 236 deletions(-)
>
> diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
> index 974ff38..8f51ba4 100644
> --- a/net/netfilter/ipset/ip_set_hash_gen.h
> +++ b/net/netfilter/ipset/ip_set_hash_gen.h
> @@ -10,19 +10,19 @@
>
> #include <linux/rcupdate.h>
> #include <linux/jhash.h>
> +#include <linux/types.h>
> #include <linux/netfilter/ipset/ip_set_timeout.h>
> -#ifndef rcu_dereference_bh
> -#define rcu_dereference_bh(p) rcu_dereference(p)
> -#endif
> +
> +#define __ipset_dereference_protected(p, c) rcu_dereference_protected(p, c)
> +#define ipset_dereference_protected(p, set) \
> + __ipset_dereference_protected(p, spin_is_locked(&(set)->lock))
>
> #define rcu_dereference_bh_nfnl(p) rcu_dereference_bh_check(p, 1)
>
[...]
> /* Flush a hash type of set: destroy all elements */
> @@ -376,16 +359,16 @@ mtype_flush(struct ip_set *set)
> struct hbucket *n;
> u32 i;
>
> - t = rcu_dereference_bh_nfnl(h->table);
> + t = ipset_dereference_protected(h->table, set);
> for (i = 0; i < jhash_size(t->htable_bits); i++) {
> - n = hbucket(t, i);
> - if (n->size) {
> - if (set->extensions & IPSET_EXT_DESTROY)
> - mtype_ext_cleanup(set, n);
> - n->size = n->pos = 0;
> - /* FIXME: use slab cache */
> - kfree(n->value);
> - }
> + n = __ipset_dereference_protected(hbucket(t, i), 1);
What is your intention with these macros?
next prev parent reply other threads:[~2014-12-02 18:37 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-30 18:56 [PATCH 00/10] ipset patches for nf-next, v2 Jozsef Kadlecsik
2014-11-30 18:56 ` [PATCH 01/14] netfilter: ipset: Support updating extensions when the set is full Jozsef Kadlecsik
2014-12-02 18:46 ` Pablo Neira Ayuso
2014-12-02 18:50 ` Pablo Neira Ayuso
2014-12-03 11:26 ` Jozsef Kadlecsik
2014-12-03 11:56 ` Pablo Neira Ayuso
2014-11-30 18:56 ` [PATCH 02/14] netfilter: ipset: Alignment problem between 64bit kernel 32bit userspace Jozsef Kadlecsik
2014-11-30 18:56 ` [PATCH 03/14] netfilter: ipset: Indicate when /0 networks are supported Jozsef Kadlecsik
2014-11-30 18:56 ` [PATCH 04/14] netfilter: ipset: Simplify cidr handling for hash:*net* types Jozsef Kadlecsik
2014-11-30 18:56 ` [PATCH 05/14] netfilter: ipset: Allocate the proper size of memory when /0 networks are supported Jozsef Kadlecsik
2014-11-30 18:56 ` [PATCH 06/14] netfilter: ipset: Explicitly add padding elements to hash:net,net and hash:net,port,net Jozsef Kadlecsik
2014-11-30 18:56 ` [PATCH 07/14] netfilter: ipset: Remove rbtree from hash:net,iface in order to run under RCU Jozsef Kadlecsik
2014-12-02 18:23 ` Pablo Neira Ayuso
2014-12-03 10:54 ` Jozsef Kadlecsik
2014-11-30 18:56 ` [PATCH 08/14] netfilter: ipset: Introduce RCU locking instead of rwlock per set in the core Jozsef Kadlecsik
2014-12-02 18:25 ` Pablo Neira Ayuso
2014-12-03 11:01 ` Jozsef Kadlecsik
2014-11-30 18:57 ` [PATCH 09/14] netfilter: ipset: Introduce RCU locking in the bitmap types Jozsef Kadlecsik
2014-11-30 18:57 ` [PATCH 10/14] netfilter: ipset: Introduce RCU locking in the list type Jozsef Kadlecsik
2014-12-02 18:35 ` Pablo Neira Ayuso
2014-12-02 18:52 ` Pablo Neira Ayuso
2014-12-03 11:17 ` Jozsef Kadlecsik
2014-12-03 11:36 ` Pablo Neira Ayuso
2014-11-30 18:57 ` [PATCH 11/14] netfilter: ipset: Introduce RCU locking in the hash types Jozsef Kadlecsik
2014-12-01 7:59 ` Jesper Dangaard Brouer
2014-12-02 18:40 ` Pablo Neira Ayuso [this message]
2014-12-03 11:23 ` Jozsef Kadlecsik
2014-11-30 18:57 ` [PATCH 12/14] netfilter: ipset: styles warned by checkpatch.pl fixed Jozsef Kadlecsik
2014-12-02 18:43 ` Pablo Neira Ayuso
2014-12-03 11:25 ` Jozsef Kadlecsik
2014-11-30 18:57 ` [PATCH 13/14] netfilter: ipset: Fix parallel resizing and listing of the same set Jozsef Kadlecsik
2014-11-30 18:57 ` [PATCH 14/14] netfilter: ipset: Fix sparse warning Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141202184012.GD4504@salvia \
--to=pablo@netfilter.org \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).