This patch series apply the following techniques to optimize nf_conncount
performance.
* Early exit for garbage collection
In order to reduce gc time, we skip traversing the full list on
every node when doing garbage collection, since it is enough to zap
a couple of expired entries.
* Split tree insertion and traversal
When we have a very coarse grouping, e.g. by large subnets, zone id,
etc, it is likely that we do not need to do tree rotation because
we'll find a node where we can attach new entry. Based on this
observation, we then make traversal lockless (tree protected
by RCU), and add extra lock in the individual node to protect list
insertion/deletion, thereby allowing parallel insert/delete in different
tree nodes.
* Add garbage collection worker
Instead of doing all of garbage collection task in the packet forwarding
path, we will schedule a garbage collection worker when the number of
nodes that can be freed exceeds a threshold.
This patch series has dependency on the following commit in nf git tree.
b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race")
RFC -> v1:
* Rebase patch series to a bug fix commit on nf_conncount.
* Merge patch 7 and patch 6 to one commit to avoid a race condition.
Yi-Hung Wei (6):
netfilter: nf_conncount: Early exit for garbage collection
netfilter: nf_conncount: Switch to plain list
netfilter: nf_conncount: Early exit in nf_conncount_lookup() and
cleanup
netfilter: nf_conncount: Move locking into count_tree()
netfilter: nf_conncount: Split insert and traversal
netfilter: nf_conncount: Add list lock and gc worker, and RCU for init
tree search
include/net/netfilter/nf_conntrack_count.h | 37 ++-
net/netfilter/nf_conncount.c | 386 ++++++++++++++++++++++-------
net/netfilter/nft_connlimit.c | 36 +--
3 files changed, 340 insertions(+), 119 deletions(-)
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
