Søndag 04 juli 2010 15:56:03 skrev Jan Engelhardt: > On Friday 2010-07-02 05:32, Simon Lodal wrote: > >> This patchset adds the xtables2 main proper, and incrementally > >> changes ip6_tables to use it. There are more patches for iptables > >> and arptables and, but to not make it larger than needed, just this > >> much for now. > >> > >> Previously featured on http://lwn.net/Articles/345176/ . > > > >Nice to see some new development! Guess we all have a long wishlist that > >is hard to implement in the current design, and this may make it easier. > > > >But what about performance? I think all these lists must cause a huge > >amount of jumps in hot path (eg. filtering packets). The packed blob > >format is hard to work with, but once created it is efficient. Do you > >have any expectations or even numbers on the performance? > > Your suspicion was right, linked lists seem to have their impact. > > The command I used was > > ping6 localhost -fc 500 -i .001 > > this sends 500 packets in near-flood fashion (-i0 would lead to > packet drops). > > Xtables1 blob-style 2.6.31-rc4: > 500 packets transmitted, 500 received, 0% packet loss, time 3532ms > 500 packets transmitted, 500 received, 0% packet loss, time 3428ms > 500 packets transmitted, 500 received, 0% packet loss, time 3388ms > 500 packets transmitted, 500 received, 0% packet loss, time 3339ms > 500 packets transmitted, 500 received, 0% packet loss, time 3219ms > > Xtables1 blob-style 2.6.34: > 500 packets transmitted, 500 received, 0% packet loss, time 3405ms > 500 packets transmitted, 500 received, 0% packet loss, time 3525ms > 500 packets transmitted, 500 received, 0% packet loss, time 3426ms > 500 packets transmitted, 500 received, 0% packet loss, time 3388ms > 500 packets transmitted, 500 received, 0% packet loss, time 3328ms > > Xtables2 (linked lists) 2.6.35-rc1: > 500 packets transmitted, 500 received, 0% packet loss, time 14775ms > 500 packets transmitted, 500 received, 0% packet loss, time 14383ms > 500 packets transmitted, 500 received, 0% packet loss, time 14381ms > 500 packets transmitted, 500 received, 0% packet loss, time 15432ms > 500 packets transmitted, 500 received, 0% packet loss, time 14498ms > > nftables (uses linked lists) 2.6.31-rc4: > 500 packets transmitted, 500 received, 0% packet loss, time 16198ms > 500 packets transmitted, 500 received, 0% packet loss, time 16128ms > 500 packets transmitted, 500 received, 0% packet loss, time 16492ms > 500 packets transmitted, 500 received, 0% packet loss, time 16451ms > 500 packets transmitted, 500 received, 0% packet loss, time 16475ms > > Well I guess Xt2 isn't the total backlight :-) > > Do you have any suggestions for improvement though? Interesting. I think it is a question of granularity. At what level do we use lists, vs. blobs? It seems to be a flexibility/performance tradeoff. I have hundreds of kpps 24/7 and rarely reload rules, so I am strictly in the performance camp :-) Chain granularity that we have now is maybe too big. Match/target granularity that you use is apparently too small. Also, is the ability to edit matches and targets really useful? Perhaps rule granularity (keep each rule as one blob) is right. Another thought, though beyond the scope of this patchset: The kernel side could have two rulesets: 1) In linked lists (like your patch), what userspace sees. 2) Big packed blobs, generated in kernel from the lists; what filtering actually runs off. So userspace gets flexibility, and kernel side gets performance, plus dealing with packaging the blob, copying it NR_CPU times, swapping it in atomically. Simon -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
