Re: netfilter queue throughput slowdown

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Anders Nilsson Plymoth <lanilsson@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: netfilter queue throughput slowdown
Date: Wed, 29 Jun 2011 11:55:39 +0200	[thread overview]
Message-ID: <BANLkTi=C7J0u_kn6UknFsGAx9Z5kHUUBrw@mail.gmail.com> (raw)
In-Reply-To: <1309340843.2532.112.camel@edumazet-laptop>

Hi Eric,

Thanks for your reply.
Yes, I am sure I set the verdict, as right now I do it on all packets
by default.
I will try upgrading and see if it works. Do you know if commit
c463ac972315a0 solves the problem you mentioned?

Thanks,
Anders

On Wed, Jun 29, 2011 at 11:47 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le mercredi 29 juin 2011 à 11:17 +0200, Anders Nilsson Plymoth a écrit :
>> Hi,
>>
>> I am using libnetfilter-queue on a router running Ubuntu 10.10 with
>> 2.6.35-28-generic. The problem I am having is that I am experiencing a
>> very significant throughput slowdown whenever my NFQUEUE program is
>> running. This happens even when I use bare bone libnetfilter-queue
>> program that immediately issues an ACCEPT verdict as soon as it
>> receives a packet. Whenever this program is running, my max throughput
>> is cut in half, and the reason it happens is because nf_queue
>> overflows (nf_queue: full at 1024 entries, dropping packets(s)), and I
>> notice my CPU utilization is 100%. However, when my program is not
>> running and I am not passing packets through NFQUEUE and the router
>> routes packets as normal, I get full throughput with only 0.1% CPU
>> utilization.
>>
>> I find this a bit strange, can the netfilter queue processing take the
>> cpu from 0.1% to 100% and start dropping packets even with no other
>> processing than setting immediately setting the verdict? We have two
>> of these machines, with identical hardware and OS, and they experience
>> the same behavior.
>> I am also confused as we have been using these machines previously and
>> been able to obtain full throughput with our netfilter program.
>>
>> Does anyone have a clue here, or suggest what I should look into in
>> order to speed things up.
>>
>
> Hmm, this is a known problem.
>
> net/netfilter/nfnetlink_queue.c uses a single list of packets per queue.
>
> If your application gives verdict for a packet not at the head of queue,
> find_dequeue_entry() spend a lot of time to find the packet.
>
> So are you sure you dont forget to give verdict for some packets, and
> queue fills to its limit ?
>
> Some attempts in the past tried to convert this list in a tree but AFAIK
> nothing was merged.
>
> By the way, latest Ubuntu has more recent kernel, you could try it as it
> includes commit c463ac972315a0 (netfilter: nfnetlink_queue: some
> optimizations)
>
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2011-06-29  9:56 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-06-29  9:17 netfilter queue throughput slowdown Anders Nilsson Plymoth
2011-06-29  9:47 ` Eric Dumazet
2011-06-29  9:55   ` Anders Nilsson Plymoth [this message]
2011-06-29 10:08     ` Eric Dumazet
2011-06-30  6:20       ` Kuzin Andrey
2011-06-30  6:47         ` Eric Dumazet
2011-06-30  7:36           ` Kuzin Andrey
2011-06-30 11:34             ` Eric Dumazet
2011-06-30 11:59               ` Patrick McHardy
2011-06-30 15:15                 ` Eric Dumazet
2011-06-30 14:32                   ` Stephen Clark
2011-06-30 14:51                     ` Patrick McHardy
2011-06-30 17:07                       ` Eric Leblond
2011-06-30 17:45                         ` Eric Dumazet
2011-06-30 18:08                           ` Eric Leblond
2011-07-01  6:39                           ` Amos Jeffries
2011-07-01  7:00                           ` [RFC] nfnetlink_queue not scalable Eric Dumazet
2011-07-01  7:49                             ` Florian Westphal
2011-07-01 15:27                               ` [PATCH 1/2] nfnetlink: add RCU in nfnetlink_rcv_msg() Eric Dumazet
2011-07-01 14:11                                 ` Florian Westphal
2011-07-05 13:22                                 ` Patrick McHardy
2011-07-18 14:06                                 ` Patrick McHardy
2011-07-01 15:08                           ` netfilter queue throughput slowdown Anders Nilsson Plymoth
2011-06-30 22:24                   ` Sam Roberts
2011-07-01  4:53                     ` Eric Dumazet
2011-06-30 22:26         ` Sam Roberts
2011-07-01  4:52           ` Eric Dumazet
2011-07-02 12:25 ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='BANLkTi=C7J0u_kn6UknFsGAx9Z5kHUUBrw@mail.gmail.com' \
    --to=lanilsson@gmail.com \
    --cc=eric.dumazet@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).