From: Jan-Philipp Litza <jpl@plutex.de>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH] netfilter: Reverse nft_set_lookup_byid list traversal
Date: Thu, 7 Jan 2021 09:56:42 +0100 [thread overview]
Message-ID: <21ed8188-a202-f578-6f8b-303dec37a266@plutex.de> (raw)
When loading a large ruleset with many anonymous sets,
nft_set_lookup_global is called once for each added set element, which
in turn calls nft_set_lookup_byid if the set was only added in this
transaction.
The longer this transaction's queue of unapplied netlink messages gets,
the longer it takes to traverse it in search for the set referenced by
ID that was probably added near the end if it is an anonymous set. This
patch hence searches the list of unapplied netlink messages in reverse
order, finding the just-added anonymous set faster.
On some reallife ruleset of ~6000 statements and ~1000 anonymous sets,
this patch roughly halves the system time on loading:
Before: 0,06s user 0,39s system 97% cpu 0,459 total
After: 0,06s user 0,20s system 97% cpu 0,268 total
The downside might be that newly added non-anonymous named sets are
probably added at the beginning of a transaction, and looking for them
when adding elements later on takes longer. However, I reckon that named
sets too are more often filled right after their creation. Furthermore,
for named sets, users can optimize their rule structure to add elements
right after set creation, whereas it's impossible to first create all
anonymous sets at the beginning of the transaction to optimize for the
current approach.
Signed-off-by: Jan-Philipp Litza <jpl@plutex.de>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8d5aa0ac4..c488b6b95 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3639,7 +3639,7 @@ static struct nft_set *nft_set_lookup_byid(const struct net *net,
struct nft_trans *trans;
u32 id = ntohl(nla_get_be32(nla));
- list_for_each_entry(trans, &net->nft.commit_list, list) {
+ list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
if (trans->msg_type == NFT_MSG_NEWSET) {
struct nft_set *set = nft_trans_set(trans);
--
2.27.0
next reply other threads:[~2021-01-07 9:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-07 8:56 Jan-Philipp Litza [this message]
2021-01-14 22:40 ` [PATCH] netfilter: Reverse nft_set_lookup_byid list traversal Pablo Neira Ayuso
2021-01-19 14:22 ` Jan-Philipp Litza
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=21ed8188-a202-f578-6f8b-303dec37a266@plutex.de \
--to=jpl@plutex.de \
--cc=jpl+netfilter-devel@plutex.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).