The piece of code in commit [71ae0dff] that seems responsible for the
slowdown is the following :
#include/linux/netfilter/x_tables.h
static inline unsigned long xt_percpu_counter_alloc(void)
{
if (nr_cpu_ids > 1) {
void __percpu *res = __alloc_percpu(sizeof(struct xt_counters),
sizeof(struct xt_counters));
if (res == NULL)
return -ENOMEM;
return (__force unsigned long) res;
}
return 0;
}
If I increase the value in the if statement
from:
if (nr_cpu_ids > 1) {
to:
if (nr_cpu_ids > 10) {
... so forcing the system to skip this above if statement if it has less
than 10 CPUs, the performance of iptables is way better :
real 0m5.303s
user 0m0.076s
sys 0m0.280s
Need to find if there is improvement that can be done or not here.
Eric
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1640786
Title:
netfilter regression introducing a performance slowdown in binary
ip/ip6tables
Status in linux package in Ubuntu:
Confirmed
Bug description:
Explanation :
It has been brought to my attention that Ubuntu kernel 4.4 has a
severe netfilter regression affecting the performance of
"/sbin/iptables" command, especially when adding large number of
policies. My source have documented everything here[2].
I was able to reproduce the situation on my side, and a kernel bisect
identified the same offending commit[1] as my source found for this
bug.
Running the commit right before the offending one have proven to have
expected performance :
# commit [71ae0dff] <== Offending commit
real 0m33.314s
user 0m1.520s
sys 0m26.192s
# commit [d7b59742] <== Right before offending commit
real 0m5.952s
user 0m0.124s
sys 0m0.220s
Reproducer :
$ iptables -F
$ echo 3 > /proc/sys/vm/drop_caches
$ time (./list-addrs 3000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
"list-addrs" script can be found here[3]
Note :
* "iptables-restore" doesn't suffer of that netfilter regression, and
I'm also aware that "iptables-restore" is the favourite approach since
it is way more efficient than iptables that is executed over and over,
once for each policy one want to set, but since "/sbin/iptables" takes
vastly longer to perform with that commit, I think this need to be
address anyway.
* I also tried with the latest and greatest iptables upstream code,
and got the same result.
Reference :
[1] -
https://github.com/torvalds/linux/commit/71ae0dff02d756e4d2ca710b79f2ff5390029a5f
[2] - https://gist.github.com/williammartin/b75e3faf5964648299e4d985413e6c0c
[3] -
https://gist.github.com/williammartin/b75e3faf5964648299e4d985413e6c0c#file-list-addrs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1640786/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
