[PATCH 0/2] Scalability performance work on iptables/libiptc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There are scalability/performance issues with iptables in libiptc.c,
when parsing/pulling-out the ruleset blob.  As I discussed shortly with
Harald and Martin during the workshop.

These patches performance optimize two scalability issues.

1) Sorting chain during pull-out give worst-case runtime O(Chains^2),
   reduced to O(Chains) only when creating a new chain.

2) Finding jump chains is suboptimal O(Chain*Rules), reduced to O(R)
   and chain offset lookup to O(1).

The idea behind these fixes are based upon patches posted by Paul
C. Diem <PCDiem@xxxxxxxxxxxxx> back in June+Oct 2006.

These performance issues will only be noticed when the rule set is
large enough.  For me, in real life, its actually a real performance
issue. On one production system (Rules=26209 and Chains=6233) it takes
10 seconds to create a new chain by calling "iptables -N test", with
these patches its reduced to 0.145 second.

-- 
Med venlig hilsen / Best regards
  Jesper Brouer
  ComX Networks A/S
  Linux Network developer
  Cand. Scient Datalog / MSc.
  Author of http://adsl-optimizer.dk
  LinkedIn: http://www.linkedin.com/in/brouer
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux