On 14.11.2012 00:16, Alfred Perlstein wrote:
Alexander, this is awesome.
On 11/13/12 11:28 AM, Alexander V. Chernikov wrote:
Hello list!
Currently most ipfw operations with dynamic states (keep-state,
check-state, limit) are serialized via IPFW_DYN_LOCK() which is
per-vnet mutex lock.
As a result, performance is limited to the same ~650kpps as in routing
(in several cases).
Patch changes the following:
* global lock is changed to per-bucket mutex
* state expiration is done in ipfw_tick every 1s. No expiration is
done on forwarding path
* hash table resize is done automatically and does not cause all
states to be lost
The only (architectural) problem I see is unlocked V_dyn_count
increments.
So, we can do the following:
1) lock increments/decrements via some separate mutex
2) do nothing
3) take some combined approach:
Generally, we don't need value to be _exact_.
As a result, we count total number of states in every ipfw_tick run
and set V_dyn_count to new value. New states still increment
V_dyn_count unlocked.
What about using per-cpu PCPU counters, and then collecting them for
display/reporting?
We currently don't have working dynamic PCPU counters in our base system.
However, there is a patch implementing such counters based on UMA.
(And we're testing it on ipfw :) ). I hope it will be announced till the
end of this month.
-Alfred
Performance:
Synthetic traffic, ipfw with single allow ip from any to any rule: 2.4M.
single keep-state ip from any to any: 2.2M.
Some more tests should be taken (with large number of states,
different types of traffic, etc), maybe I can do some next week.
You need to run recent -current or merge r242631 and r242834 before
applying this patch.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[email protected]"
