netfilter: conntrack: remove central spinlock nf_conntrack_lock
nf_conntrack_lock is a monolithic lock and suffers from huge contention
on current generation servers (8 or more core/threads).
Perf locking congestion is clear on base kernel:
- 72.56% ksoftirqd/6 [kernel.kallsyms] [k] _raw_spin_lock_bh
- _raw_spin_lock_bh
+ 25.33% init_conntrack
+ 24.86% nf_ct_delete_from_lists
+ 24.62% __nf_conntrack_confirm
+ 24.38% destroy_conntrack
+ 0.70% tcp_packet
+ 2.21% ksoftirqd/6 [kernel.kallsyms] [k] fib_table_lookup
+ 1.15% ksoftirqd/6 [kernel.kallsyms] [k] __slab_free
+ 0.77% ksoftirqd/6 [kernel.kallsyms] [k] inet_getpeer
+ 0.70% ksoftirqd/6 [nf_conntrack] [k] nf_ct_delete
+ 0.55% ksoftirqd/6 [ip_tables] [k] ipt_do_table
This patch change conntrack locking and provides a huge performance
improvement. SYN-flood attack tested on a 24-core E5-2695v2(ES) with
10Gbit/s ixgbe (with tool trafgen):
Base kernel: 810.405 new connt...
Showing
- include/net/netfilter/nf_conntrack_core.h 6 additions, 1 deletioninclude/net/netfilter/nf_conntrack_core.h
- include/net/netns/conntrack.h 2 additions, 0 deletionsinclude/net/netns/conntrack.h
- net/netfilter/nf_conntrack_core.c 159 additions, 60 deletionsnet/netfilter/nf_conntrack_core.c
- net/netfilter/nf_conntrack_helper.c 8 additions, 4 deletionsnet/netfilter/nf_conntrack_helper.c
- net/netfilter/nf_conntrack_netlink.c 13 additions, 2 deletionsnet/netfilter/nf_conntrack_netlink.c
Please register or sign in to comment