git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 10 Jun 2015 23:34:55 +0000 (01:34 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 12 Jun 2015 12:27:10 +0000 (14:27 +0200)
commit	00d00e0c31ec55a495dd8847448068c1d37cb4e6
tree	66160977937cbc47d024b93806b85475dab1c026	tree \| snapshot
parent	ebdb9c805fb56e991d0bcf6a80e3e6e3ddf83399	commit \| diff

netfilter: xtables: avoid percpu ruleset duplication

We store the rule blob per (possible) cpu. Unfortunately this means we can
waste lot of memory on big smp machines. ipt_entry structure ('rule head')
is 112 byte, so e.g. with maxcpu=64 one single rule eats
close to 8k RAM.

Since previous patch made counters percpu it appears there is nothing
left in the rule blob that needs to be percpu.

On my test system (144 possible cpus, 400k dummy rules) this
change saves close to 9 Gigabyte of RAM.

Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/linux/netfilter/x_tables.h		diff \| blob \| history
net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history
net/netfilter/x_tables.c		diff \| blob \| history