| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 May 2020 14:40:10 +0300
From: Vlad Buslov <vladbu@...lanox.com>
To: netdev@...r.kernel.org
Cc: davem@...emloft.net, jhs@...atatu.com, xiyou.wangcong@...il.com,
jiri@...nulli.us, dcaratti@...hat.com, marcelo.leitner@...il.com,
kuba@...nel.org, Vlad Buslov <vladbu@...lanox.com>
Subject: [PATCH net-next v2 0/4] Implement classifier-action terse dump mode
Output rate of current upstream kernel TC filter dump implementation if
relatively low (~100k rules/sec depending on configuration). This
constraint impacts performance of software switch implementation that
rely on TC for their datapath implementation and periodically call TC
filter dump to update rules stats. Moreover, TC filter dump output a lot
of static data that don't change during the filter lifecycle (filter
key, specific action details, etc.) which constitutes significant
portion of payload on resulting netlink packets and increases amount of
syscalls necessary to dump all filters on particular Qdisc. In order to
significantly improve filter dump rate this patch sets implement new
mode of TC filter dump operation named "terse dump" mode. In this mode
only parameters necessary to identify the filter (handle, action cookie,
etc.) and data that can change during filter lifecycle (filter flags,
action stats, etc.) are preserved in dump output while everything else
is omitted.
Userspace API is implemented using new TCA_DUMP_FLAGS tlv with only
available flag value TCA_DUMP_FLAGS_TERSE. Internally, new API requires
individual classifier support (new tcf_proto_ops->terse_dump()
callback). Support for action terse dump is implemented in act API and
don't require changing individual action implementations.
The following table provides performance comparison between regular
filter dump and new terse dump mode for two classifier-action profiles:
one minimal config with L2 flower classifier and single gact action and
another heavier config with L2+5tuple flower classifier with
tunnel_key+mirred actions.
Classifier-action type | dump | terse dump | X improvement
| (rules/sec) | (rules/sec) |
-----------------------------+-------------+-------------+---------------
L2 with gact | 141.8 | 293.2 | 2.07
L2+5tuple tunnel_key+mirred | 76.4 | 198.8 | 2.60
Benchmark details: to measure the rate tc filter dump and terse dump
commands are invoked on ingress Qdisc that have one million filters
configured using following commands.
> time sudo tc -s filter show dev ens1f0 ingress >/dev/null
> time sudo tc -s filter show terse dev ens1f0 ingress >/dev/null
Value in results table is calculated by dividing 1000000 total rules by
"real" time reported by time command.
Setup details: 2x Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 32GB memory
Vlad Buslov (4):
net: sched: introduce terse dump flag
net: sched: implement terse dump support in act
net: sched: cls_flower: implement terse dump support
selftests: implement flower classifier terse dump tests
include/net/act_api.h | 2 +-
include/net/pkt_cls.h | 1 +
include/net/sch_generic.h | 4 ++
include/uapi/linux/rtnetlink.h | 6 ++
net/sched/act_api.c | 30 +++++++--
net/sched/cls_api.c | 67 ++++++++++++++++---
net/sched/cls_flower.c | 43 ++++++++++++
.../tc-testing/tc-tests/filters/tests.json | 38 +++++++++++
8 files changed, 174 insertions(+), 17 deletions(-)
--
2.21.0
Powered by blists - more mailing lists