I have submitted the patchset to the Ubuntu kernel team for the following releases(kernel versions) :
- Zesty (v4.9) - Yakkety (v4.8) - Xenial (v4.4) - Eric -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1640786 Title: netfilter regression introducing a performance slowdown in binary arp/ip/ip6tables Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Yakkety: In Progress Bug description: [SRU JUSTIFICATION] [Impact] It has been brought to my attention that Ubuntu kernel 4.4 has a severe netfilter regression affecting the performance of "/sbin/iptables" command, especially when adding large number of policies. My source have documented everything here[2]. Note that the situation can also be reproduce with latest and greatest upstream kernel v4.9-rc4. I was able to reproduce the situation on my side, and a kernel bisect identified the same offending commit[1] as my source found for this bug. Running the commit right before the offending one have proven to have expected performance : # commit [71ae0dff] <== Offending commit real 0m33.314s user 0m1.520s sys 0m26.192s # commit [d7b59742] <== Right before offending commit real 0m5.952s user 0m0.124s sys 0m0.220s [Test Case] * Reproducer #1 $ iptables -F $ time (./list-addrs 3000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s) * Reproducer #2 $ iptables -F $ time for f in `seq 1 3000` ; do iptables -A FORWARD ; done "list-addrs" script can be found here[3] [Regression Potential] * none expected, the patches have been proven to work on mainline kernel, and was reviewed by a few netfilters maintainer + tested by myself. Reference: https://kernel.googlesource.com/pub/scm/linux/kernel/git/pablo/nf-next/ Patches: https://kernel.googlesource.com/pub/scm/linux/kernel/git/pablo/nf-next/+/2394ae21e8b652aff0db1c02e946243c1e2f5edb https://kernel.googlesource.com/pub/scm/linux/kernel/git/pablo/nf-next/+/722d6785e3b29a3b9f95c4d77542a1416094786a https://kernel.googlesource.com/pub/scm/linux/kernel/git/pablo/nf-next/+/18b61e8161cc308cbfd06d2e2c6c0758dfd925ef [Other Info] * "iptables-restore" doesn't suffer of that netfilter regression, and I'm also aware that "iptables-restore" is the favourite approach since it is way more efficient than iptables that is executed over and over, once for each policy one want to set, but since "binary arp/ip/ip6tables" takes vastly longer to perform with that commit, I think this need to be address anyway. [Related Documents] [1] - https://github.com/torvalds/linux/commit/71ae0dff02d756e4d2ca710b79f2ff5390029a5f [2] - https://gist.github.com/williammartin/b75e3faf5964648299e4d985413e6c0c [3] - https://gist.github.com/williammartin/b75e3faf5964648299e4d985413e6c0c#file-list-addrs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1640786/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
