From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 13 20:33:36 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1002A48B; Tue, 13 Nov 2012 20:33:36 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id 96D368FC13; Tue, 13 Nov 2012 20:33:35 +0000 (UTC) Received: from v6.mpls.in ([2a02:978:2::5] helo=ws.su29.net) by mail.ipfw.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1TYNEB-0005aJ-5t; Wed, 14 Nov 2012 00:36:59 +0400 Message-ID: <50A2AE84.5040304@FreeBSD.org> Date: Wed, 14 Nov 2012 00:33:08 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120121 Thunderbird/9.0 MIME-Version: 1.0 To: Alfred Perlstein Subject: Re: [CFT] ipfw SMP-ready dynamic states References: <50A29F57.6090701@yandex-team.ru> <50A2AA89.9060309@mu.org> In-Reply-To: <50A2AA89.9060309@mu.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Alexander V. Chernikov" , freebsd-ipfw@freebsd.org, Luigi Rizzo , "freebsd-net@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2012 20:33:36 -0000 On 14.11.2012 00:16, Alfred Perlstein wrote: > Alexander, this is awesome. > > On 11/13/12 11:28 AM, Alexander V. Chernikov wrote: >> Hello list! >> >> Currently most ipfw operations with dynamic states (keep-state, >> check-state, limit) are serialized via IPFW_DYN_LOCK() which is >> per-vnet mutex lock. >> >> As a result, performance is limited to the same ~650kpps as in routing >> (in several cases). >> >> Patch changes the following: >> * global lock is changed to per-bucket mutex >> * state expiration is done in ipfw_tick every 1s. No expiration is >> done on forwarding path >> * hash table resize is done automatically and does not cause all >> states to be lost >> >> The only (architectural) problem I see is unlocked V_dyn_count >> increments. >> So, we can do the following: >> 1) lock increments/decrements via some separate mutex >> 2) do nothing >> 3) take some combined approach: >> >> Generally, we don't need value to be _exact_. >> As a result, we count total number of states in every ipfw_tick run >> and set V_dyn_count to new value. New states still increment >> V_dyn_count unlocked. >> > What about using per-cpu PCPU counters, and then collecting them for > display/reporting? We currently don't have working dynamic PCPU counters in our base system. However, there is a patch implementing such counters based on UMA. (And we're testing it on ipfw :) ). I hope it will be announced till the end of this month. > > -Alfred > > >> >> Performance: >> >> Synthetic traffic, ipfw with single allow ip from any to any rule: 2.4M. >> single keep-state ip from any to any: 2.2M. >> >> Some more tests should be taken (with large number of states, >> different types of traffic, etc), maybe I can do some next week. >> >> >> You need to run recent -current or merge r242631 and r242834 before >> applying this patch. >> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >