[PATCH 0/3] netfilter : 3 patches to boost ip_tables performance
Eric Dumazet
dada1 at cosmosbay.com
Fri Sep 23 19:47:53 CEST 2005
Harald Welte a écrit :
> On Thu, Sep 22, 2005 at 05:50:49PM +0200, Eric Dumazet wrote:
>
>>Christoph Lameter a écrit :
>>
>>>It should really be do_set_mempolicy instead to be cleaner. I got a patch here that fixes the
>>>policy layer.
>>>But still I agree with Christoph that a real vmalloc_node is better. There will be no fuzzing
>>>around with memory policies etc and its certainly better performance wise.
>>
>>vmalloc_node() should be seldom used, at driver init, or when a new
>>ip_tables is loaded. If it happens to be a performance problem, then
>>we can optimize it. Why should we spend days of work for a function
>>that is yet to be used ?
>
>
> I see a contradiction in your sentence. "a new ip_tables is loaded"
> every time a user changes a single rule. There are numerous setups that
> dynamically change the ruleset (e.g. at interface up/down point, or even
> think of your typical wlan hotspot, where once a user is authorized,
> he'll get different rules.
>
But a user changing a single rule usually calls (fork()/exec()) a program
called iptables. The underlying cost of all this, plus copying the rules to
user space, so that iptables change them and reload them in the kernel is far
more important than an hypothetical vmalloc_node() performance problem.
Eric
More information about the netfilter-devel
mailing list