Skip to content

Commit e00b437

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
netfilter: connlimit: move lock array out of struct connlimit_data
Eric points out that the locks can be global. Moreover, both Jesper and Eric note that using only 32 locks increases false sharing as only two cache lines are used. This increases locks to 256 (16 cache lines assuming 64byte cacheline and 4 bytes per spinlock). Suggested-by: Jesper Dangaard Brouer <brouer@redhat.com> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent e5ac6ea commit e00b437

File tree

1 file changed

+16
-9
lines changed

1 file changed

+16
-9
lines changed

net/netfilter/xt_connlimit.c

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,14 @@
3232
#include <net/netfilter/nf_conntrack_tuple.h>
3333
#include <net/netfilter/nf_conntrack_zones.h>
3434

35-
#define CONNLIMIT_SLOTS 32
36-
#define CONNLIMIT_LOCK_SLOTS 32
35+
#define CONNLIMIT_SLOTS 256U
36+
37+
#ifdef CONFIG_LOCKDEP
38+
#define CONNLIMIT_LOCK_SLOTS 8U
39+
#else
40+
#define CONNLIMIT_LOCK_SLOTS 256U
41+
#endif
42+
3743
#define CONNLIMIT_GC_MAX_NODES 8
3844

3945
/* we will save the tuples of all connections we care about */
@@ -49,10 +55,11 @@ struct xt_connlimit_rb {
4955
union nf_inet_addr addr; /* search key */
5056
};
5157

58+
static spinlock_t xt_connlimit_locks[CONNLIMIT_LOCK_SLOTS] __cacheline_aligned_in_smp;
59+
5260
struct xt_connlimit_data {
5361
struct rb_root climit_root4[CONNLIMIT_SLOTS];
5462
struct rb_root climit_root6[CONNLIMIT_SLOTS];
55-
spinlock_t locks[CONNLIMIT_LOCK_SLOTS];
5663
};
5764

5865
static u_int32_t connlimit_rnd __read_mostly;
@@ -297,11 +304,11 @@ static int count_them(struct net *net,
297304
root = &data->climit_root4[hash];
298305
}
299306

300-
spin_lock_bh(&data->locks[hash % CONNLIMIT_LOCK_SLOTS]);
307+
spin_lock_bh(&xt_connlimit_locks[hash % CONNLIMIT_LOCK_SLOTS]);
301308

302309
count = count_tree(net, root, tuple, addr, mask, family);
303310

304-
spin_unlock_bh(&data->locks[hash % CONNLIMIT_LOCK_SLOTS]);
311+
spin_unlock_bh(&xt_connlimit_locks[hash % CONNLIMIT_LOCK_SLOTS]);
305312

306313
return count;
307314
}
@@ -377,9 +384,6 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
377384
return -ENOMEM;
378385
}
379386

380-
for (i = 0; i < CONNLIMIT_LOCK_SLOTS; ++i)
381-
spin_lock_init(&info->data->locks[i]);
382-
383387
for (i = 0; i < ARRAY_SIZE(info->data->climit_root4); ++i)
384388
info->data->climit_root4[i] = RB_ROOT;
385389
for (i = 0; i < ARRAY_SIZE(info->data->climit_root6); ++i)
@@ -435,11 +439,14 @@ static struct xt_match connlimit_mt_reg __read_mostly = {
435439

436440
static int __init connlimit_mt_init(void)
437441
{
438-
int ret;
442+
int ret, i;
439443

440444
BUILD_BUG_ON(CONNLIMIT_LOCK_SLOTS > CONNLIMIT_SLOTS);
441445
BUILD_BUG_ON((CONNLIMIT_SLOTS % CONNLIMIT_LOCK_SLOTS) != 0);
442446

447+
for (i = 0; i < CONNLIMIT_LOCK_SLOTS; ++i)
448+
spin_lock_init(&xt_connlimit_locks[i]);
449+
443450
connlimit_conn_cachep = kmem_cache_create("xt_connlimit_conn",
444451
sizeof(struct xt_connlimit_conn),
445452
0, 0, NULL);

0 commit comments

Comments
 (0)