FEX-Emu/linux
1
0
Fork 0
mirror of https://github.com/FEX-Emu/linux.git synced 2024-12-23 18:07:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
edda079174
linux/net/ipv6/netfilter
History
Florian Westphal 482cfc3185 netfilter: xtables: avoid percpu ruleset duplication 
We store the rule blob per (possible) cpu.  Unfortunately this means we can
waste lot of memory on big smp machines. ipt_entry structure ('rule head')
is 112 byte, so e.g. with maxcpu=64 one single rule eats
close to 8k RAM.

Since previous patch made counters percpu it appears there is nothing
left in the rule blob that needs to be percpu.

On my test system (144 possible cpus, 400k dummy rules) this
change saves close to 9 Gigabyte of RAM.

Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-06-12 14:27:10 +02:00
..
ip6_tables.c netfilter: xtables: avoid percpu ruleset duplication 2015-06-12 14:27:10 +02:00
ip6t_ah.c
ip6t_eui64.c
ip6t_frag.c
ip6t_hbh.c
ip6t_ipv6header.c netfilter: remove unnecessary break after return 2014-07-15 16:27:00 -07:00
ip6t_MASQUERADE.c netfilter: nf_nat: generalize IPv6 masquerading support for nf_tables 2014-09-09 16:31:29 +02:00
ip6t_mh.c
ip6t_NPT.c
ip6t_REJECT.c netfilter: ip6t_REJECT: check for IP6T_F_PROTO 2015-03-22 20:02:46 +01:00
ip6t_rpfilter.c net: ipv6: more places need LOOPBACK_IFINDEX for flowi6_iif 2014-04-28 14:47:03 -04:00
ip6t_rt.c
ip6t_SYNPROXY.c netfilter: Make nf_hookfn use nf_hook_state. 2015-04-04 12:31:38 -04:00
ip6table_filter.c netfilter: Pass nf_hook_state through ip6t_do_table(). 2015-04-04 12:52:06 -04:00
ip6table_mangle.c netfilter: Pass nf_hook_state through ip6t_do_table(). 2015-04-04 12:52:06 -04:00
ip6table_nat.c netfilter: Pass nf_hook_state through ip6t_do_table(). 2015-04-04 12:52:06 -04:00
ip6table_raw.c netfilter: Pass nf_hook_state through ip6t_do_table(). 2015-04-04 12:52:06 -04:00
ip6table_security.c netfilter: Pass nf_hook_state through ip6t_do_table(). 2015-04-04 12:52:06 -04:00
Kconfig netfilter: nf_tables: consolidate Kconfig options 2015-03-06 01:21:15 +01:00
Makefile netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module 2014-11-27 13:08:42 +01:00
nf_conntrack_l3proto_ipv6.c netfilter: Make nf_hookfn use nf_hook_state. 2015-04-04 12:31:38 -04:00
nf_conntrack_proto_icmpv6.c netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_reasm.c inet: frags: use kmem_cache for inet_frag_queue 2014-08-02 15:31:31 -07:00
nf_defrag_ipv6_hooks.c netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
nf_log_ipv6.c netfilter: Use LOGLEVEL_<FOO> defines 2015-03-25 12:09:39 +01:00
nf_nat_l3proto_ipv6.c netfilter: Pass nf_hook_state through nf_nat_ipv6_{in,out,fn,local_fn}(). 2015-04-04 12:48:08 -04:00
nf_nat_masquerade_ipv6.c netfilter: nf_nat: generalize IPv6 masquerading support for nf_tables 2014-09-09 16:31:29 +02:00
nf_nat_proto_icmpv6.c
nf_reject_ipv6.c netfilter: bridge: add helpers for fetching physin/outdev 2015-04-08 16:49:08 +02:00
nf_tables_ipv6.c netfilter: Pass nf_hook_state through nft_set_pktinfo*(). 2015-04-04 12:54:27 -04:00
nft_chain_nat_ipv6.c netfilter: Pass nf_hook_state through nft_set_pktinfo*(). 2015-04-04 12:54:27 -04:00
nft_chain_route_ipv6.c netfilter: Pass nf_hook_state through nft_set_pktinfo*(). 2015-04-04 12:54:27 -04:00
nft_masq_ipv6.c netfilter: nf_tables: get rid of NFT_REG_VERDICT usage 2015-04-13 17:17:07 +02:00
nft_redir_ipv6.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_reject_ipv6.c netfilter: nf_tables: get rid of NFT_REG_VERDICT usage 2015-04-13 17:17:07 +02:00