cvs commit: src/sys/netinet ip_fw2.c

Gleb Smirnoff glebius at FreeBSD.org
Sat Jan 14 16:55:05 PST 2006


glebius     2006-01-15 00:55:05 UTC

  FreeBSD src repository

  Modified files:        (Branch: RELENG_6)
    sys/netinet          ip_fw2.c 
  Log:
  MFC 1.118:
      Optimize parallel processing of ipfw(4) rulesets eliminating the locking
    of the radix lookup tables. Since several rnh_lookup() can run in
    parallel on the same table, we can piggyback on the shared locking
    provided by ipfw(4).
      However, the single entry cache in the ip_fw_table can't be used lockless,
    so it is removed. This pessimizes two cases: processing of bursts of similar
    packets and matching one packet against the same table several times during
    one ipfw_chk() lookup. To optimize the processing of similar packet bursts
    administrator should use stateful firewall. To optimize the second problem
    a solution will be provided soon.
  
    Details:
      o Since we piggyback on the ipfw(4) locking, and the latter is per-chain,
        the tables are moved from the global declaration to the
        struct ip_fw_chain.
      o The struct ip_fw_table is shrunk to one entry and thus vanished.
      o All table manipulating functions are extended to accept the struct
        ip_fw_chain * argument.
      o All table modifing functions use IPFW_WLOCK_ASSERT().
  
  Revision   Changes    Path
  1.106.2.7  +54 -71    src/sys/netinet/ip_fw2.c


More information about the cvs-src mailing list