Memory scaling issues with Per CPU Copy of ipt_entry tables in
iptables
Shekhar Kshirsagar
shekhar.kshirsagar at gmail.com
Sat Mar 18 09:06:15 CET 2006
iptables code (2.4/2.6), iptables implementation makes per CPU copy of
the ipt_entry tables.
Looking in the code, it seems that per CPU copy is really required
only for two variables in ipt_entry structure - 'comefrom' and
'counters'.
But further investigation reveals that, old ipchains implementation
(ipchains_core.c) had per CPU copy of only counters instead of the
complete structure. So it seems like there was some specific reason to
move away from per CPU copy of just counters to per CPU copy of
complete ipt_entry tables.
Can somebody who knows history of these changes help me understand the
implications if one wants to reduce iptables memory requirements by
going per CPU copy of only two variables - 'comefrom' and 'counters'.
Thanks,
Shekhar
More information about the netfilter-devel
mailing list