Le dimanche 04 juillet 2010 à 15:56 +0200, Jan Engelhardt a écrit : > On Friday 2010-07-02 05:32, Simon Lodal wrote: > >> > >> This patchset adds the xtables2 main proper, and incrementally > >> changes ip6_tables to use it. There are more patches for iptables > >> and arptables and, but to not make it larger than needed, just this > >> much for now. > >> > >> Previously featured on http://lwn.net/Articles/345176/ . > > > >Nice to see some new development! Guess we all have a long wishlist that is > >hard to implement in the current design, and this may make it easier. > > > >But what about performance? I think all these lists must cause a huge amount > >of jumps in hot path (eg. filtering packets). The packed blob format is hard to > >work with, but once created it is efficient. Do you have any expectations or > >even numbers on the performance? > > Your suspicion was right, linked lists seem to have their impact. > > The command I used was > > ping6 localhost -fc 500 -i .001 > > this sends 500 packets in near-flood fashion (-i0 would lead to > packet drops). > > Xtables1 blob-style 2.6.31-rc4: > 500 packets transmitted, 500 received, 0% packet loss, time 3532ms > 500 packets transmitted, 500 received, 0% packet loss, time 3428ms > 500 packets transmitted, 500 received, 0% packet loss, time 3388ms > 500 packets transmitted, 500 received, 0% packet loss, time 3339ms > 500 packets transmitted, 500 received, 0% packet loss, time 3219ms > > Xtables1 blob-style 2.6.34: > 500 packets transmitted, 500 received, 0% packet loss, time 3405ms > 500 packets transmitted, 500 received, 0% packet loss, time 3525ms > 500 packets transmitted, 500 received, 0% packet loss, time 3426ms > 500 packets transmitted, 500 received, 0% packet loss, time 3388ms > 500 packets transmitted, 500 received, 0% packet loss, time 3328ms > > Xtables2 (linked lists) 2.6.35-rc1: > 500 packets transmitted, 500 received, 0% packet loss, time 14775ms > 500 packets transmitted, 500 received, 0% packet loss, time 14383ms > 500 packets transmitted, 500 received, 0% packet loss, time 14381ms > 500 packets transmitted, 500 received, 0% packet loss, time 15432ms > 500 packets transmitted, 500 received, 0% packet loss, time 14498ms > > nftables (uses linked lists) 2.6.31-rc4: > 500 packets transmitted, 500 received, 0% packet loss, time 16198ms > 500 packets transmitted, 500 received, 0% packet loss, time 16128ms > 500 packets transmitted, 500 received, 0% packet loss, time 16492ms > 500 packets transmitted, 500 received, 0% packet loss, time 16451ms > 500 packets transmitted, 500 received, 0% packet loss, time 16475ms > > Well I guess Xt2 isn't the total backlight :-) > > Do you have any suggestions for improvement though? > I dont understand how it is possible to spend so much time per packet, just adding few pointers :) Are you sure you dont hit another problem ? Could you give us the rules you use ? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
