Re: [PATCH 0/3] netfilter : 3 patches to boost ip_tables performance

From: Eric Dumazet
Date: Fri Sep 23 2005 - 12:48:29 EST


Harald Welte a écrit :
On Thu, Sep 22, 2005 at 05:50:49PM +0200, Eric Dumazet wrote:

Christoph Lameter a écrit :

It should really be do_set_mempolicy instead to be cleaner. I got a patch here that fixes the policy layer.
But still I agree with Christoph that a real vmalloc_node is better. There will be no fuzzing around with memory policies etc and its certainly better performance wise.

vmalloc_node() should be seldom used, at driver init, or when a new
ip_tables is loaded. If it happens to be a performance problem, then
we can optimize it. Why should we spend days of work for a function
that is yet to be used ?


I see a contradiction in your sentence. "a new ip_tables is loaded"
every time a user changes a single rule. There are numerous setups that
dynamically change the ruleset (e.g. at interface up/down point, or even
think of your typical wlan hotspot, where once a user is authorized,
he'll get different rules.


But a user changing a single rule usually calls (fork()/exec()) a program called iptables. The underlying cost of all this, plus copying the rules to user space, so that iptables change them and reload them in the kernel is far more important than an hypothetical vmalloc_node() performance problem.

Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/