Re: [PATCH 0/3] netfilter : 3 patches to boost ip_tables performance

[Eric Dumazet]

Harald Welte a écrit :
> On Thu, Sep 22, 2005 at 05:50:49PM +0200, Eric Dumazet wrote:
>
> > Christoph Lameter a écrit :
> >
> > > It should really be do_set_mempolicy instead to be cleaner. I got a patch here that fixes the 
> > > policy layer.
> > > But still I agree with Christoph that a real vmalloc_node is better. There will be no fuzzing 
> > > around with memory policies etc and its certainly better performance wise.
> >
> > vmalloc_node() should be seldom used, at driver init, or when a new
> > ip_tables is loaded. If it happens to be a performance problem, then
> > we can optimize it.  Why should we spend days of work for a function
> > that is yet to be used ?
>
>
> I see a contradiction in your sentence.  "a new ip_tables is loaded"
> every time a user changes a single rule.  There are numerous setups that
> dynamically change the ruleset (e.g. at interface up/down point, or even
> think of your typical wlan hotspot, where once a user is authorized,
> he'll get different rules.

But a user changing a single rule usually calls (fork()/exec()) a program 
called iptables. The underlying cost of all this, plus copying the rules to 
user space, so that iptables change them and reload them in the kernel is far 
more important than an hypothetical vmalloc_node() performance problem.

Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/