From mboxrd@z Thu Jan  1 00:00:00 1970
From: Florian Westphal <fw@strlen.de>
Subject: netfilter: x_tables: speed up iptables-restore
Date: Tue, 10 Oct 2017 12:13:36 +0200
Message-ID: <20171010101338.14443-1-fw@strlen.de>
Cc: dcbw@redhat.com, edumzet@google.com
To: <netfilter-devel@vger.kernel.org>
Return-path: <netfilter-devel-owner@vger.kernel.org>
Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:60650 "EHLO
        Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1755751AbdJJKNZ (ORCPT
        <rfc822;netfilter-devel@vger.kernel.org>);
        Tue, 10 Oct 2017 06:13:25 -0400
Sender: netfilter-devel-owner@vger.kernel.org
List-ID: <netfilter-devel.vger.kernel.org>

When xt_replace_table assigns the new ruleset pointer, it does
not wait for other processors to finish with old ruleset.

Instead it relies oni the counter sequence lock in get_counters()
to do this.

This works but this is very costly if system is busy as each counter
read operation can possibly be restarted indefinitely.

Instead, lets make xt_replace_table wait until all processors are
known to not use the old ruleset anymore.

This allows to read the old rule set counters without the sequence
lock -- as we already know no cpu is using the ruleset anymore
the counters can't change either.

 ipv4/netfilter/arp_tables.c |   22 ++++++++++++++++++++--
 ipv4/netfilter/ip_tables.c  |   23 +++++++++++++++++++++--
 ipv6/netfilter/ip6_tables.c |   22 ++++++++++++++++++++--
 netfilter/x_tables.c        |   15 ++++++++++++---
 4 files changed, 73 insertions(+), 9 deletions(-)