netfilter: x_table: speedup compat operations
One iptables invocation with 135000 rules takes 35 seconds of cpu time on a recent server, using a 32bit distro and a 64bit kernel. We eventually trigger NMI/RCU watchdog. INFO: rcu_sched_state detected stall on CPU 3 (t=6000 jiffies) COMPAT mode has quadratic behavior and consume 16 bytes of memory per rule. Switch the xt_compat algos to use an array instead of list, and use a binary search to locate an offset in the sorted array. This halves memory need (8 bytes per rule), and removes quadratic behavior [ O(N*N) -> O(N*log2(N)) ] Time of iptables goes from 35 s to 150 ms. Signed-off-by:Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
Showing
- include/linux/netfilter/x_tables.h 2 additions, 1 deletioninclude/linux/netfilter/x_tables.h
- net/bridge/netfilter/ebtables.c 1 addition, 0 deletionsnet/bridge/netfilter/ebtables.c
- net/ipv4/netfilter/arp_tables.c 2 additions, 0 deletionsnet/ipv4/netfilter/arp_tables.c
- net/ipv4/netfilter/ip_tables.c 2 additions, 0 deletionsnet/ipv4/netfilter/ip_tables.c
- net/ipv6/netfilter/ip6_tables.c 2 additions, 0 deletionsnet/ipv6/netfilter/ip6_tables.c
- net/netfilter/x_tables.c 48 additions, 34 deletionsnet/netfilter/x_tables.c
Loading
Please register or sign in to comment