parallelizing ipfw table

Gleb Smirnoff glebius at FreeBSD.org
Mon Nov 28 09:47:31 GMT 2005 

On Mon, Nov 28, 2005 at 08:27:32AM +0200, Ruslan Ermilov wrote:
R> > On Sun, Nov 27, 2005 at 09:45:45PM +0200, Ruslan Ermilov wrote:
R> > R> Nope, I need this caching.  It's for looking up the same table
R> > R> several times in a row but with various values.  For example,
R> > R> we use ipfw tables to route the traffic to the correct dummynet
R> > R> pipe, where value is the bandwidth, and this caching helps a lot.
R> > 
R> > Have you benchmarked that this caching is important? On a router
R> > that serves a lot of parallel traffic flows the caching is not
R> > a benefit, but additional processing. I think we should optimize
R> > the code for more loaded environments, since we don't care about
R> > CPU consumption in a less loaded setup - whether it is 0.1% or 0.11%.
R> > 
R> I'm talking about the following case: the same packet is
R> processed by a firewall ruleset that has N rules that
R> look up the same ipfw table but with different "values",
R> to select a correct dummynet pipe.

I understand this case. But wouldn't it be better to optimise this case
by storing the last match on stack in ipfw_chk()?

Can you please show me how this ruleset looks like?

R> > In general such kind of caching in network code is an old fashion,
R> > that causes a problems when we attempt to make code more
R> > parallelizable. We alreade removed rtcache in ip_output.c rev. 1.201
R> > and we will soon remove route caching in gif(4), because it causes
R> > problems on SMP.
R> > 
R> > Can you try my patch? Since it reduces the total number of mutex
R> > operations it should be a win on UP, too.
R> > 
R> We're currently based on 4.x.  You can try it yourself: create
R> a table with 10000 entries and with value 13.  Then write a
R> ruleset with 13 rules that look up this table so that the last
R> rule looks it up with value 13, and do a benchmark.  Let me
R> know what are results with and without caching.

Such kind of firewall looks like unoptimized. Why should we optimize the
code for non-optimized setups. Can't we avoid looking into one table
13 times each packet?

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE

More information about the freebsd-net mailing list