Hi Eric, Thanks for your reply. Yes, I am sure I set the verdict, as right now I do it on all packets by default. I will try upgrading and see if it works. Do you know if commit c463ac972315a0 solves the problem you mentioned? Thanks, Anders On Wed, Jun 29, 2011 at 11:47 AM, Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote: > Le mercredi 29 juin 2011 à 11:17 +0200, Anders Nilsson Plymoth a écrit : >> Hi, >> >> I am using libnetfilter-queue on a router running Ubuntu 10.10 with >> 2.6.35-28-generic. The problem I am having is that I am experiencing a >> very significant throughput slowdown whenever my NFQUEUE program is >> running. This happens even when I use bare bone libnetfilter-queue >> program that immediately issues an ACCEPT verdict as soon as it >> receives a packet. Whenever this program is running, my max throughput >> is cut in half, and the reason it happens is because nf_queue >> overflows (nf_queue: full at 1024 entries, dropping packets(s)), and I >> notice my CPU utilization is 100%. However, when my program is not >> running and I am not passing packets through NFQUEUE and the router >> routes packets as normal, I get full throughput with only 0.1% CPU >> utilization. >> >> I find this a bit strange, can the netfilter queue processing take the >> cpu from 0.1% to 100% and start dropping packets even with no other >> processing than setting immediately setting the verdict? We have two >> of these machines, with identical hardware and OS, and they experience >> the same behavior. >> I am also confused as we have been using these machines previously and >> been able to obtain full throughput with our netfilter program. >> >> Does anyone have a clue here, or suggest what I should look into in >> order to speed things up. >> > > Hmm, this is a known problem. > > net/netfilter/nfnetlink_queue.c uses a single list of packets per queue. > > If your application gives verdict for a packet not at the head of queue, > find_dequeue_entry() spend a lot of time to find the packet. > > So are you sure you dont forget to give verdict for some packets, and > queue fills to its limit ? > > Some attempts in the past tried to convert this list in a tree but AFAIK > nothing was merged. > > By the way, latest Ubuntu has more recent kernel, you could try it as it > includes commit c463ac972315a0 (netfilter: nfnetlink_queue: some > optimizations) > > > > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
