Re: limited number if iptable rules on 64bit hosts

["Bill Rugolsky Jr." <brugolsky@xxxxxxxxxxxxxxxxxxxxxxxxx>]

On Thu, Feb 03, 2005 at 11:00:49AM -0800, David S. Miller wrote:
> It might not help for Olaf's 128 cpu box though :-)
> 
> I think reconsider the idea of replicating the rule itself per-cpu.
> Also, this thread should have begun with netfilter-devel at least on
> the CC:, added.

As Olaf Kirch pointed out, an entry is about 150 bytes, while the counters
are two 64-bit ints, and it looks like 'unsigned int comefrom' is set as
the chains are traversed [net/ipv4/netfilter/ip_tables.c]:

        /* Save old back ptr in next entry */
        struct ipt_entry *next
                = (void *)e + e->next_offset;
        next->comefrom
                = (void *)back - table_base;
        /* set back pointer to next entry */
        back = next;

That's 20-24 bytes of state per-entry per-cpu, for a factor of 6-7 savings,
at the expense of hairing up the code slightly to do parallel indexed
access, Fortran style.

If I am understanding the mm code correctly, a single vmalloc() allocation
is currently limited to 64M on a 64-bit platform, but the VMALLOC address
range is much greater, so one might also prefer to do a kmalloc()/vmalloc()
per CPU, perhaps by creating {vmalloc,vfree}_percpu() and using the
percpu interfaces.

        Bill Rugolsky