One iptables invocation with 135000 rules takes 35 seconds of cpu time
on a recent server, using a 32bit distro and a 64bit kernel.
We eventually trigger NMI/RCU watchdog.
INFO: rcu_sched_state detected stall on CPU 3 (t=6000 jiffies)
COMPAT mode has quadratic behavior and consume 16 bytes of memory per
rule.
Switch the xt_compat algos to use an array instead of list, and use a
binary search to locate an offset in the sorted array.
This halves memory need (8 bytes per rule), and removes quadratic
behavior [ O(N*N) -> O(N*log2(N)) ]
Time of iptables goes from 35 s to 150 ms.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ref: 255d0dc340
recent_net_exit() is called before recent_mt_destroy() in the
destroy path of network namespaces. Make sure there are no entries
in the parent proc entry xt_recent before removing it.
Signed-off-by: Vitaly E. Lavrov <lve@guap.ru>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ref: 32263dd1b4
One iptables invocation with 135000 rules takes 35 seconds of cpu time
on a recent server, using a 32bit distro and a 64bit kernel.
We eventually trigger NMI/RCU watchdog.
INFO: rcu_sched_state detected stall on CPU 3 (t=6000 jiffies)
COMPAT mode has quadratic behavior and consume 16 bytes of memory per
rule.
Switch the xt_compat algos to use an array instead of list, and use a
binary search to locate an offset in the sorted array.
This halves memory need (8 bytes per rule), and removes quadratic
behavior [ O(N*N) -> O(N*log2(N)) ]
Time of iptables goes from 35 s to 150 ms.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ref: 255d0dc340
recent_net_exit() is called before recent_mt_destroy() in the
destroy path of network namespaces. Make sure there are no entries
in the parent proc entry xt_recent before removing it.
Signed-off-by: Vitaly E. Lavrov <lve@guap.ru>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ref: 32263dd1b4
This was causing timeouts to never be removed from the linked list that
tracks them, resulting in both memory and CPU usage to grow larger over
time.
Ref: https://github.com/lathiat/avahi/pull/366
Changes avahi to use a new internal type for timers instead of struct
timeval. This prevents accidental mixing between a time value from
gettimeofday() and a time value from avahi_now(), as the latter may be
from the monotonic clock instead of gettimeofday()
Ref: https://github.com/lathiat/avahi/pull/96
Use clock_gettime() + CLOCK_MONOTONIC as the clock source on platforms
that support it. This allows the various timers used within Avahi to
function correctly even when the system clock is changed. This is
especially important when the system clock is set backward by a
significant amount of time, as this can cause responses and queries in
their respective history queues to prevent future responses and queries
from being sent for an extended period of time.
Ref: https://github.com/lathiat/avahi/pull/96
* Corrected a segfault in the code on shutdown.
* Fixed memory initialization error which caused problems with shutdown; see above.
* Added NDEBUG calls around debugging fprintfs.
Ref: https://github.com/lathiat/avahi/pull/17
If a dead AvahiEntry cleanup is scheduled, and we try to schedule
another one, defer the existing callback by 1s. Also remove other calls
to avahi_cleanup_dead_entries.
This is done to ensure that an entry stays in the dead state for at
least 1 second, so that if we receive a copy of our own probe we don't
think it's a conflict.
This should resolve issues where on startup the server spuriously
conflicts with itself and renames to hostname-2, hostname-3, etc. This
typically happens as addresses are rapidly added and removed, e.g. when
IPv6 global addresses cause the link local address to be revoked.
Ideally to prevent excess memory usage we would track the age of the
entries and expire them sooner to prevent the schedule being deferred
forever on a busy server.
Ref: https://github.com/lathiat/avahi/pull/366
Ignore the Novatel USB730L modem - otherwise,
a kernel that is compile with a static HID driver
will not allow a USB mode switch of the modem from the default
user mode (product ID: 9030) into enterprise mode (producr ID: 9032).
Ignore the Novatel USB730L modem - otherwise,
a kernel that is compile with a static HID driver
will not allow a USB mode switch of the modem from the default
user mode (product ID: 9030) into enterprise mode (producr ID: 9032).
pedro
snowman58
M_ars
Not Sure
Kurt Fitzner