Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Nov 2012 00:33:08 +0400
From:      "Alexander V. Chernikov" <melifaro@FreeBSD.org>
To:        Alfred Perlstein <bright@mu.org>
Cc:        "Alexander V. Chernikov" <melifaro@yandex-team.ru>, freebsd-ipfw@freebsd.org, Luigi Rizzo <rizzo@iet.unipi.it>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: [CFT] ipfw SMP-ready dynamic states
Message-ID:  <50A2AE84.5040304@FreeBSD.org>
In-Reply-To: <50A2AA89.9060309@mu.org>
References:  <50A29F57.6090701@yandex-team.ru> <50A2AA89.9060309@mu.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 14.11.2012 00:16, Alfred Perlstein wrote:
> Alexander, this is awesome.
>
> On 11/13/12 11:28 AM, Alexander V. Chernikov wrote:
>> Hello list!
>>
>> Currently most ipfw operations with dynamic states (keep-state,
>> check-state, limit) are serialized via IPFW_DYN_LOCK() which is
>> per-vnet mutex lock.
>>
>> As a result, performance is limited to the same ~650kpps as in routing
>> (in several cases).
>>
>> Patch changes the following:
>> * global lock is changed to per-bucket mutex
>> * state expiration is done in ipfw_tick every 1s. No expiration is
>> done on forwarding path
>> * hash table resize is done automatically and does not cause all
>> states to be lost
>>
>> The only (architectural) problem I see is unlocked V_dyn_count
>> increments.
>> So, we can do the following:
>> 1) lock increments/decrements via some separate mutex
>> 2) do nothing
>> 3) take some combined approach:
>>
>> Generally, we don't need value to be _exact_.
>> As a result, we count total number of states in every ipfw_tick run
>> and set V_dyn_count to new value. New states still increment
>> V_dyn_count unlocked.
>>
> What about using per-cpu PCPU counters, and then collecting them for
> display/reporting?
We currently don't have working dynamic PCPU counters in our base system.

However, there is a patch implementing such counters based on UMA.
(And we're testing it on ipfw :) ). I hope it will be announced till the 
end of this month.

>
> -Alfred
>
>
>>
>> Performance:
>>
>> Synthetic traffic, ipfw with single allow ip from any to any rule: 2.4M.
>> single keep-state ip from any to any: 2.2M.
>>
>> Some more tests should be taken (with large number of states,
>> different types of traffic, etc), maybe I can do some next week.
>>
>>
>> You need to run recent -current or merge r242631 and r242834 before
>> applying this patch.
>>
>>
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?50A2AE84.5040304>