Page MenuHomeFreeBSD

pf: Don't allocate per-table entry counters unless requested.
ClosedPublic

Authored by markj on May 10 2020, 10:13 PM.

Details

Summary

pf by default does not do table address accounting unless the "counters"
keyword is specified in the corresponding pf.conf entry. (There doesn't
appear to be a way to specify this at all when adding a table using
pfctl directly.) Yet, we always allocate counters. For large tables,
the memory overhead of the counters is quite significant since we
allocate 12 per table entry. (Plus 12 pointers in the table entry itself.)
Moreover, reloading a table definition from pf.conf causes all counters
to be zeroed, which corresponds to 12 SMP rendezvous operations per
entry, while holding the rules lock.

A further refinement might add a pfr_kentry counter array UMA zone, so
that we can allocate a contiguous array of counters and thus reduce
pointer overhead. We should also try to find a way to reduce the
overhead of counter zeroing.

Mitigate the problem by checking for PFR_TFLAG_COUNTERS before
performing any allocation.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

markj created this revision.May 10 2020, 10:13 PM
markj requested review of this revision.May 10 2020, 10:13 PM
markj edited the summary of this revision. (Show Details)
kp accepted this revision.May 11 2020, 7:52 AM

It'd be nice (but it's not required for this to proceed) to have a test to exercise this, i.e. create a table with counters, send some traffic through, check that the counters incremented.

This revision is now accepted and ready to land.May 11 2020, 7:52 AM
markj added a comment.May 11 2020, 3:07 PM
In D24803#545731, @kp wrote:

It'd be nice (but it's not required for this to proceed) to have a test to exercise this, i.e. create a table with counters, send some traffic through, check that the counters incremented.

Ok, I will write one.

This revision was automatically updated to reflect the committed changes.