On Thu, 2015-05-28 at 22:51 +0200, Florian Westphal wrote:
> The binary arp/ip/ip6tables ruleset is stored per cpu.
>
> The only reason left as to why we need percpu duplication are the rule
> counters embedded into ipt_entry et al -- since each cpu has its own copy
> of the rules, all counters can be lockless.
>
> The downside is that the more cpus are supported, the more memory is
> required. Rules are not just duplicated per online cpu but for each
> possible cpu, i.e. if maxcpu is 144, then rule is duplicated 144 times,
> not for the e.g. 64 cores present.
>
> To save some memory and also allow cpus with shared caches to make
> better use of available cache size, it would be preferable to only
> store a copy of the rule blob for each numa node.
>
> So we first need to separate counters and the rule blob.
>
> We create array of struct xt_counters for each possible cpu and
> index them from the main blob via the (unused after validation)
> ->comefrom member.
Yeah, I remember trying to work on this exact idea some years ago,
but gave up (maybe because nftable was coming)
>
> Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
> Acked-by: Jesper Dangaard Brouer <brouer@xxxxxxxxxx>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> Changes since v1:
> - add ->comefrom comment in arptables, too
>
> include/linux/netfilter/x_tables.h | 6 ++++++
> net/ipv4/netfilter/arp_tables.c | 33 +++++++++++++++---------------
> net/ipv4/netfilter/ip_tables.c | 31 ++++++++++++++--------------
> net/ipv6/netfilter/ip6_tables.c | 32 ++++++++++++++---------------
> net/netfilter/x_tables.c | 42 ++++++++++++++++++++++++++++++++++++++
> 5 files changed, 95 insertions(+), 49 deletions(-)
>
> diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
> index 09f3820..e50ba76 100644
> --- a/include/linux/netfilter/x_tables.h
> +++ b/include/linux/netfilter/x_tables.h
> @@ -224,6 +224,12 @@ struct xt_table_info {
> unsigned int stacksize;
> unsigned int __percpu *stackptr;
> void ***jumpstack;
> +
> + /* pointer to array of counters, one per CPU
> + * each rule maps 1:1 to an entry in the percpu counter array.
> + */
> + struct xt_counters **counters;
> +
You could avoid using this array, if you use alloc_percpu(struct
xt_counter) per counter.
In the rules, instead of storing the index of each counter, store the
percpu address.
This would avoid yet another indirection in iptables.
And it would be nice avoiding this stuff on non SMP kernels maybe ?
Thanks !
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
