This patch series apply the following techniques to optimize nf_conncount
performance.
* Early exit for garbage collection
In order to reduce gc time, we skip traversing the full list on
every node when doing garbage collection, since it is enough to zap
a couple of expired entries.
* Split tree insertion and traversal
When we have a very coarse grouping, e.g. by large subnets, zone id,
etc, it is likely that we do not need to do tree rotation because
we'll find a node where we can attach new entry. Based on this
observation, we then make traversal lockless (tree protected
by RCU), and add extra lock in the individual node to protect list
insertion/deletion, thereby allowing parallel insert/delete in different
tree nodes.
* Add garbage collection worker
Instead of doing all of garbage collection task in the packet forwarding
path, we will schedule a garbage collection worker when the number of
nodes that can be freed exceeds a threshold.
This patch series has dependency on the following commmit in nf git tree.
21ba8847 ("netfilter: nf_conncount: Fix garbage collection with zones")
Yi-Hung Wei (7):
netfilter: nf_conncount: Early exit for garbage collection
netfilter: nf_conncount: Switch to plain list
netfilter: nf_conncount: Early exit in nf_conncount_lookup() and
cleanup
netfilter: nf_conncount: Move locking into count_tree()
netfilter: nf_conncount: Split insert and traversal
netfilter: nf_conncount: Add list lock and use RCU for init tree
search
netfilter: nf_conncount: Add garbage collection worker
include/net/netfilter/nf_conntrack_count.h | 37 ++-
net/netfilter/nf_conncount.c | 374 ++++++++++++++++++++++-------
net/netfilter/nft_connlimit.c | 36 +--
3 files changed, 332 insertions(+), 115 deletions(-)
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
