Date: Tue, 6 Dec 2005 10:45:49 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet ip_fw2.c Message-ID: <200512061045.jB6AjopR018089@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
glebius 2005-12-06 10:45:49 UTC FreeBSD src repository Modified files: sys/netinet ip_fw2.c Log: Optimize parallel processing of ipfw(4) rulesets eliminating the locking of the radix lookup tables. Since several rnh_lookup() can run in parallel on the same table, we can piggyback on the shared locking provided by ipfw(4). However, the single entry cache in the ip_fw_table can't be used lockless, so it is removed. This pessimizes two cases: processing of bursts of similar packets and matching one packet against the same table several times during one ipfw_chk() lookup. To optimize the processing of similar packet bursts administrator should use stateful firewall. To optimize the second problem a solution will be provided soon. Details: o Since we piggyback on the ipfw(4) locking, and the latter is per-chain, the tables are moved from the global declaration to the struct ip_fw_chain. o The struct ip_fw_table is shrunk to one entry and thus vanished. o All table manipulating functions are extended to accept the struct ip_fw_chain * argument. o All table modifing functions use IPFW_WLOCK_ASSERT(). Revision Changes Path 1.118 +54 -71 src/sys/netinet/ip_fw2.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512061045.jB6AjopR018089>