netfilter regression introducing a performance slowdown in binary arp/ip/ip6tables
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Eric Desrochers | ||
Xenial |
Fix Released
|
High
|
Eric Desrochers | ||
Yakkety |
Fix Released
|
High
|
Eric Desrochers |
Bug Description
[SRU JUSTIFICATION]
[Impact]
It has been brought to my attention that Ubuntu kernel 4.4 has a severe netfilter regression affecting the performance of "/sbin/iptables" command, especially when adding large number of policies. My source have documented everything here[2].
Note that the situation can also be reproduce with latest and greatest upstream kernel v4.9-rc4.
I was able to reproduce the situation on my side, and a kernel bisect identified the same offending commit[1] as my source found for this bug.
Running the commit right before the offending one have proven to have expected performance :
# commit [71ae0dff] <== Offending commit
real 0m33.314s
user 0m1.520s
sys 0m26.192s
# commit [d7b59742] <== Right before offending commit
real 0m5.952s
user 0m0.124s
sys 0m0.220s
[Test Case]
* Reproducer #1
$ iptables -F
$ time (./list-addrs 3000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
* Reproducer #2
$ iptables -F
$ time for f in `seq 1 3000` ; do iptables -A FORWARD ; done
"list-addrs" script can be found here[3]
[Regression Potential]
* none expected, the patches have been proven to work on mainline kernel, and was reviewed by a few netfilters maintainer + tested by myself.
Reference:
https:/
Patches:
https:/
https:/
https:/
[Other Info]
* "iptables-restore" doesn't suffer of that netfilter regression, and I'm also aware that "iptables-restore" is the favourite approach since it is way more efficient than iptables that is executed over and over, once for each policy one want to set, but since "binary arp/ip/ip6tables" takes vastly longer to perform with that commit, I think this need to be address anyway.
[Related Documents]
[1] - https:/
[2] - https:/
[3] - https:/
summary: |
- netfilter regression introducing a performance slowdown in iptables + netfilter regression introducing a performance slowdown in binary + ip/ip6tables |
tags: | added: kernel-da-key |
Changed in linux (Ubuntu): | |
assignee: | nobody → Eric Desrochers (slashd) |
Changed in linux (Ubuntu Trusty): | |
status: | New → In Progress |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Trusty): | |
assignee: | nobody → Eric Desrochers (slashd) |
no longer affects: | linux (Ubuntu Trusty) |
Changed in linux (Ubuntu Xenial): | |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Eric Desrochers (slashd) |
Changed in linux (Ubuntu): | |
importance: | Medium → High |
Changed in linux (Ubuntu Xenial): | |
importance: | Medium → High |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Yakkety): | |
importance: | Undecided → High |
assignee: | nobody → Eric Desrochers (slashd) |
status: | New → In Progress |
Changed in linux (Ubuntu Yakkety): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-yakkety removed: verification-needed-yakkety |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1640786
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.