[PATCH 0/3] netfilter : 3 patches to boost ip_tables performance
laforge at netfilter.org
Fri Sep 23 19:09:11 CEST 2005
On Thu, Sep 22, 2005 at 03:03:21PM +0200, Andi Kleen wrote:
> > 1) No more central rwlock protecting each table (filter, nat, mangle, raw),
> > but one lock per CPU. It avoids cache line ping pongs for each packet.
> Another useful change would be to not take the lock when there are no
> rules. Currently just loading iptables has a large overhead.
This is partially due to the netfilter hooks that are registered (so we
always take nf_hook_slow() in the NF_HOOK() macro).
The default policies inside an iptables chain are internally implemented
as a rule. Thus, policies as built-in rules have packet/byte counters.
Therefore, without making a semantic change, we cannot do any of the
1) not take a lock when the chain is empty
2) not register at the netfilter hook when the chain is empty.
This is well-known, but I don't think we can change the semantics for
the user during a stable kernel series. That's one point where not
having 2.7.x really hurts.
- Harald Welte <laforge at netfilter.org> http://netfilter.org/
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20050923/e31c65c3/attachment.bin
More information about the netfilter-devel