[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LFD.2.00.0904111049010.4583@localhost.localdomain>
Date: Sat, 11 Apr 2009 10:51:20 -0700 (PDT)
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Jan Engelhardt <jengelh@...ozas.de>
cc: "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
David Miller <davem@...emloft.net>,
Ingo Molnar <mingo@...e.hu>,
Lai Jiangshan <laijs@...fujitsu.com>, shemminger@...tta.com,
jeff.chua.linux@...il.com, dada1@...mosbay.com, kaber@...sh.net,
r000n@...0n.net,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: iptables very slow after commit
784544739a25c30637397ace5489eeb6e15d7d49
On Sat, 11 Apr 2009, Jan Engelhardt wrote:
>
> iptables works in whole tables.
Not really.
Yes, iptables as a single command works in whole tables.
USERS, on the other hand, often work in multiple iptables commands, ie
they just add things to the tables. And in fact, I think this is the exact
workload that Jeff complains about - doing two hundred "update table"
commands.
> Userspace submits a table, checkentry is called for all rules in the new
> table, things are swapped, then destroy is called for all rules in the
> old table. By that logic (which existed since dawn I think), only the
> swap operation needs to be locked.
The problem is, the new code makes the "wait after swap" thing happen
after every switch. And if you do two hundred "update table" commands, you
now take a _long_ time to update.
Sure, you could tell people to just do everything as one single table
update, but that isn't what they do.
Linus
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists