Commit d4b2516b authored by Florian Westphal's avatar Florian Westphal Committed by Luis Henriques

netfilter: x_tables: pack percpu counter allocations

BugLink: https://bugs.launchpad.net/bugs/1640786

instead of allocating each xt_counter individually, allocate 4k chunks
and then use these for counter allocation requests.

This should speed up rule evaluation by increasing data locality,
also speeds up ruleset loading because we reduce calls to the percpu
allocator.

As Eric points out we can't use PAGE_SIZE, page_allocator would fail on
arches with 64k page size.
Suggested-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Acked-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
(backported from commit ae0ac0ed)
Signed-off-by: default avatarEric Desrochers <eric.desrochers@canonical.com>
Acked-by: default avatarTim Gardner <tim.gardner@canonical.com>
Acked-by: default avatarSeth Forshee <seth.forshee@canonical.com>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent a6fda211
...@@ -364,8 +364,13 @@ static inline unsigned long ifname_compare_aligned(const char *_a, ...@@ -364,8 +364,13 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
return ret; return ret;
} }
struct xt_percpu_counter_alloc_state {
unsigned int off;
const char __percpu *mem;
};
bool xt_percpu_counter_alloc(struct xt_counters *counters); bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
struct xt_counters *counter);
void xt_percpu_counter_free(struct xt_counters *cnt); void xt_percpu_counter_free(struct xt_counters *cnt);
static inline struct xt_counters * static inline struct xt_counters *
......
...@@ -526,13 +526,14 @@ static inline int check_target(struct arpt_entry *e, const char *name) ...@@ -526,13 +526,14 @@ static inline int check_target(struct arpt_entry *e, const char *name)
} }
static inline int static inline int
find_check_entry(struct arpt_entry *e, const char *name, unsigned int size) find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
struct xt_percpu_counter_alloc_state *alloc_state)
{ {
struct xt_entry_target *t; struct xt_entry_target *t;
struct xt_target *target; struct xt_target *target;
int ret; int ret;
if (!xt_percpu_counter_alloc(&e->counters)) if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
return -ENOMEM; return -ENOMEM;
t = arpt_get_target(e); t = arpt_get_target(e);
...@@ -649,6 +650,7 @@ static inline void cleanup_entry(struct arpt_entry *e) ...@@ -649,6 +650,7 @@ static inline void cleanup_entry(struct arpt_entry *e)
static int translate_table(struct xt_table_info *newinfo, void *entry0, static int translate_table(struct xt_table_info *newinfo, void *entry0,
const struct arpt_replace *repl) const struct arpt_replace *repl)
{ {
struct xt_percpu_counter_alloc_state alloc_state = { 0 };
struct arpt_entry *iter; struct arpt_entry *iter;
unsigned int i; unsigned int i;
int ret = 0; int ret = 0;
...@@ -712,7 +714,8 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0, ...@@ -712,7 +714,8 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
/* Finally, each sanity check must pass */ /* Finally, each sanity check must pass */
i = 0; i = 0;
xt_entry_foreach(iter, entry0, newinfo->size) { xt_entry_foreach(iter, entry0, newinfo->size) {
ret = find_check_entry(iter, repl->name, repl->size); ret = find_check_entry(iter, repl->name, repl->size,
&alloc_state);
if (ret != 0) if (ret != 0)
break; break;
++i; ++i;
......
...@@ -665,7 +665,8 @@ static int check_target(struct ipt_entry *e, struct net *net, const char *name) ...@@ -665,7 +665,8 @@ static int check_target(struct ipt_entry *e, struct net *net, const char *name)
static int static int
find_check_entry(struct ipt_entry *e, struct net *net, const char *name, find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
unsigned int size) unsigned int size,
struct xt_percpu_counter_alloc_state *alloc_state)
{ {
struct xt_entry_target *t; struct xt_entry_target *t;
struct xt_target *target; struct xt_target *target;
...@@ -674,7 +675,7 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name, ...@@ -674,7 +675,7 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
struct xt_mtchk_param mtpar; struct xt_mtchk_param mtpar;
struct xt_entry_match *ematch; struct xt_entry_match *ematch;
if (!xt_percpu_counter_alloc(&e->counters)) if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
return -ENOMEM; return -ENOMEM;
j = 0; j = 0;
...@@ -819,6 +820,7 @@ static int ...@@ -819,6 +820,7 @@ static int
translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
const struct ipt_replace *repl) const struct ipt_replace *repl)
{ {
struct xt_percpu_counter_alloc_state alloc_state = { 0 };
struct ipt_entry *iter; struct ipt_entry *iter;
unsigned int i; unsigned int i;
int ret = 0; int ret = 0;
...@@ -878,7 +880,8 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, ...@@ -878,7 +880,8 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
/* Finally, each sanity check must pass */ /* Finally, each sanity check must pass */
i = 0; i = 0;
xt_entry_foreach(iter, entry0, newinfo->size) { xt_entry_foreach(iter, entry0, newinfo->size) {
ret = find_check_entry(iter, net, repl->name, repl->size); ret = find_check_entry(iter, net, repl->name, repl->size,
&alloc_state);
if (ret != 0) if (ret != 0)
break; break;
++i; ++i;
......
...@@ -678,7 +678,8 @@ static int check_target(struct ip6t_entry *e, struct net *net, const char *name) ...@@ -678,7 +678,8 @@ static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
static int static int
find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
unsigned int size) unsigned int size,
struct xt_percpu_counter_alloc_state *alloc_state)
{ {
struct xt_entry_target *t; struct xt_entry_target *t;
struct xt_target *target; struct xt_target *target;
...@@ -687,7 +688,7 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, ...@@ -687,7 +688,7 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
struct xt_mtchk_param mtpar; struct xt_mtchk_param mtpar;
struct xt_entry_match *ematch; struct xt_entry_match *ematch;
if (!xt_percpu_counter_alloc(&e->counters)) if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
return -ENOMEM; return -ENOMEM;
j = 0; j = 0;
...@@ -831,6 +832,7 @@ static int ...@@ -831,6 +832,7 @@ static int
translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
const struct ip6t_replace *repl) const struct ip6t_replace *repl)
{ {
struct xt_percpu_counter_alloc_state alloc_state = { 0 };
struct ip6t_entry *iter; struct ip6t_entry *iter;
unsigned int i; unsigned int i;
int ret = 0; int ret = 0;
...@@ -890,7 +892,8 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, ...@@ -890,7 +892,8 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
/* Finally, each sanity check must pass */ /* Finally, each sanity check must pass */
i = 0; i = 0;
xt_entry_foreach(iter, entry0, newinfo->size) { xt_entry_foreach(iter, entry0, newinfo->size) {
ret = find_check_entry(iter, net, repl->name, repl->size); ret = find_check_entry(iter, net, repl->name, repl->size,
&alloc_state);
if (ret != 0) if (ret != 0)
break; break;
++i; ++i;
......
...@@ -40,6 +40,7 @@ MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); ...@@ -40,6 +40,7 @@ MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module"); MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1)) #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
#define XT_PCPU_BLOCK_SIZE 4096
struct compat_delta { struct compat_delta {
unsigned int offset; /* offset in kernel */ unsigned int offset; /* offset in kernel */
...@@ -1553,6 +1554,7 @@ EXPORT_SYMBOL_GPL(xt_proto_fini); ...@@ -1553,6 +1554,7 @@ EXPORT_SYMBOL_GPL(xt_proto_fini);
/** /**
* xt_percpu_counter_alloc - allocate x_tables rule counter * xt_percpu_counter_alloc - allocate x_tables rule counter
* *
* @state: pointer to xt_percpu allocation state
* @counter: pointer to counter struct inside the ip(6)/arpt_entry struct * @counter: pointer to counter struct inside the ip(6)/arpt_entry struct
* *
* On SMP, the packet counter [ ip(6)t_entry->counters.pcnt ] will then * On SMP, the packet counter [ ip(6)t_entry->counters.pcnt ] will then
...@@ -1561,21 +1563,34 @@ EXPORT_SYMBOL_GPL(xt_proto_fini); ...@@ -1561,21 +1563,34 @@ EXPORT_SYMBOL_GPL(xt_proto_fini);
* Rule evaluation needs to use xt_get_this_cpu_counter() helper * Rule evaluation needs to use xt_get_this_cpu_counter() helper
* to fetch the real percpu counter. * to fetch the real percpu counter.
* *
* To speed up allocation and improve data locality, a 4kb block is
* allocated.
*
* xt_percpu_counter_alloc_state contains the base address of the
* allocated page and the current sub-offset.
*
* returns false on error. * returns false on error.
*/ */
bool xt_percpu_counter_alloc(struct xt_counters *counter) bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
struct xt_counters *counter)
{ {
void __percpu *res; BUILD_BUG_ON(XT_PCPU_BLOCK_SIZE < (sizeof(*counter) * 2));
if (nr_cpu_ids <= 1) if (nr_cpu_ids <= 1)
return true; return true;
res = __alloc_percpu(sizeof(struct xt_counters), if (!state->mem) {
sizeof(struct xt_counters)); state->mem = __alloc_percpu(XT_PCPU_BLOCK_SIZE,
if (!res) XT_PCPU_BLOCK_SIZE);
if (!state->mem)
return false; return false;
}
counter->pcnt = (__force unsigned long)res; counter->pcnt = (__force unsigned long)(state->mem + state->off);
state->off += sizeof(*counter);
if (state->off > (XT_PCPU_BLOCK_SIZE - sizeof(*counter))) {
state->mem = NULL;
state->off = 0;
}
return true; return true;
} }
EXPORT_SYMBOL_GPL(xt_percpu_counter_alloc); EXPORT_SYMBOL_GPL(xt_percpu_counter_alloc);
...@@ -1584,7 +1599,7 @@ void xt_percpu_counter_free(struct xt_counters *counters) ...@@ -1584,7 +1599,7 @@ void xt_percpu_counter_free(struct xt_counters *counters)
{ {
unsigned long pcnt = counters->pcnt; unsigned long pcnt = counters->pcnt;
if (nr_cpu_ids > 1) if (nr_cpu_ids > 1 && (pcnt & (XT_PCPU_BLOCK_SIZE - 1)) == 0)
free_percpu((void __percpu *)pcnt); free_percpu((void __percpu *)pcnt);
} }
EXPORT_SYMBOL_GPL(xt_percpu_counter_free); EXPORT_SYMBOL_GPL(xt_percpu_counter_free);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment