netfilter: iptables: lock free counters

The reader/writer lock in ip_tables is acquired in the critical path of
processing packets and is one of the reasons just loading iptables can cause
a 20% performance loss. The rwlock serves two functions:

1) it prevents changes to table state (xt_replace) while table is in use.
   This is now handled by doing rcu on the xt_table. When table is
   replaced, the new table(s) are put in and the old one table(s) are freed
   after RCU period.

2) it provides synchronization when accesing the counter values.
   This is now handled by swapping in new table_info entries for each cpu
   then summing the old values, and putting the result back onto one
   cpu.  On a busy system it may cause sampling to occur at different
   times on each cpu, but no packet/byte counts are lost in the process.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

Sucessfully tested on my dual quad core machine too, but iptables only (no ipv6 here)
BTW, my new "tbench 8" result is 2450 MB/s, (it was 2150 MB/s not so long ago)

Acked-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

1 files changed, 21 insertions, 5 deletions

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index bfbf521f6ea..bfcac92d556 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -625,6 +625,20 @@ void xt_free_table_info(struct xt_table_info *info)
 }
 EXPORT_SYMBOL(xt_free_table_info);
 
+void xt_table_entry_swap_rcu(struct xt_table_info *oldinfo,
+                             struct xt_table_info *newinfo)
+{
+        unsigned int cpu;
+
+        for_each_possible_cpu(cpu) {
+                void *p = oldinfo->entries[cpu];
+                rcu_assign_pointer(oldinfo->entries[cpu], newinfo->entries[cpu]);
+                newinfo->entries[cpu] = p;
+        }
+
+}
+EXPORT_SYMBOL_GPL(xt_table_entry_swap_rcu);
+
 /* Find table by name, grabs mutex & ref.  Returns ERR_PTR() on error. */
 struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
                                     const char *name)
@@ -671,21 +685,22 @@ xt_replace_table(struct xt_table *table,
         struct xt_table_info *oldinfo, *private;
 
         /* Do the substitution. */
-        write_lock_bh(&table->lock);
+        mutex_lock(&table->lock);
         private = table->private;
         /* Check inside lock: is the old number correct? */
         if (num_counters != private->number) {
                 duprintf("num_counters != table->private->number (%u/%u)\n",
                          num_counters, private->number);
-                write_unlock_bh(&table->lock);
+                mutex_unlock(&table->lock);
                 *error = -EAGAIN;
                 return NULL;
         }
         oldinfo = private;
-        table->private = newinfo;
+        rcu_assign_pointer(table->private, newinfo);
         newinfo->initial_entries = oldinfo->initial_entries;
-        write_unlock_bh(&table->lock);
+        mutex_unlock(&table->lock);
 
+        synchronize_net();
         return oldinfo;
 }
 EXPORT_SYMBOL_GPL(xt_replace_table);
@@ -719,7 +734,8 @@ struct xt_table *xt_register_table(struct net *net, struct xt_table *table,
 
         /* Simplifies replace_table code. */
         table->private = bootstrap;
-        rwlock_init(&table->lock);
+        mutex_init(&table->lock);
+
         if (!xt_replace_table(table, 0, newinfo, &ret))
                 goto unlock;