Le mercredi 29 juin 2011 à 11:17 +0200, Anders Nilsson Plymoth a écrit : > Hi, > > I am using libnetfilter-queue on a router running Ubuntu 10.10 with > 2.6.35-28-generic. The problem I am having is that I am experiencing a > very significant throughput slowdown whenever my NFQUEUE program is > running. This happens even when I use bare bone libnetfilter-queue > program that immediately issues an ACCEPT verdict as soon as it > receives a packet. Whenever this program is running, my max throughput > is cut in half, and the reason it happens is because nf_queue > overflows (nf_queue: full at 1024 entries, dropping packets(s)), and I > notice my CPU utilization is 100%. However, when my program is not > running and I am not passing packets through NFQUEUE and the router > routes packets as normal, I get full throughput with only 0.1% CPU > utilization. > > I find this a bit strange, can the netfilter queue processing take the > cpu from 0.1% to 100% and start dropping packets even with no other > processing than setting immediately setting the verdict? We have two > of these machines, with identical hardware and OS, and they experience > the same behavior. > I am also confused as we have been using these machines previously and > been able to obtain full throughput with our netfilter program. > > Does anyone have a clue here, or suggest what I should look into in > order to speed things up. > Hmm, this is a known problem. net/netfilter/nfnetlink_queue.c uses a single list of packets per queue. If your application gives verdict for a packet not at the head of queue, find_dequeue_entry() spend a lot of time to find the packet. So are you sure you dont forget to give verdict for some packets, and queue fills to its limit ? Some attempts in the past tried to convert this list in a tree but AFAIK nothing was merged. By the way, latest Ubuntu has more recent kernel, you could try it as it includes commit c463ac972315a0 (netfilter: nfnetlink_queue: some optimizations) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
