* Iptables efficiency
@ 2003-03-10 18:04 Rinse Kloek
2003-03-11 13:13 ` Raymond Leach
2003-03-11 14:31 ` Joel Newkirk
0 siblings, 2 replies; 3+ messages in thread
From: Rinse Kloek @ 2003-03-10 18:04 UTC (permalink / raw)
To: netfilter
We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
Gigabit interfaces. On the machine we have a lot of iptables rules like :
all -- 213.134.x.0 0.0.0.0/0
all -- 0.0.0.0/0 213.134.x.0
TOS all -- 213.134.x.4 0.0.0.0/0 TOS set 0x08
all -- 0.0.0.0/0 213.134.x.4
We have about 3200 iptables rules on our bridge. I've tested today to
remove 1000 of these rules. The load dropped from about 40% to 25%. So I
think the iptables rule take up the most of the CPU load. Do you think this
is a problem of ineffeciency of iptables or just a 'limitation' in the
TCP/IP stack of linux ?
regards Rinse
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Iptables efficiency
2003-03-10 18:04 Iptables efficiency Rinse Kloek
@ 2003-03-11 13:13 ` Raymond Leach
2003-03-11 14:31 ` Joel Newkirk
1 sibling, 0 replies; 3+ messages in thread
From: Raymond Leach @ 2003-03-11 13:13 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 1688 bytes --]
On Mon, 2003-03-10 at 20:04, Rinse Kloek wrote:
> We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
> Gigabit interfaces. On the machine we have a lot of iptables rules like :
> all -- 213.134.x.0 0.0.0.0/0
> all -- 0.0.0.0/0 213.134.x.0
> TOS all -- 213.134.x.4 0.0.0.0/0 TOS set 0x08
> all -- 0.0.0.0/0 213.134.x.4
>
> We have about 3200 iptables rules on our bridge. I've tested today to
> remove 1000 of these rules. The load dropped from about 40% to 25%. So I
> think the iptables rule take up the most of the CPU load. Do you think this
> is a problem of ineffeciency of iptables or just a 'limitation' in the
> TCP/IP stack of linux ?
>
Probably the packet parser having a hard time trying to make sense of
that many rules ...
> regards Rinse
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
( Raymond Leach )
) Knowledge Factory (
( )
) Tel: +27 11 445 8100 (
( Fax: +27 11 445 8101 )
) (
( http://www.knowledgefactory.co.za/ )
) http://www.saptg.co.za/ (
( http://www.mapnet.co.za/ )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o o
o o
.--. .--.
| o_o| |o_o |
| \_:| |:_/ |
/ / \\ // \ \
( | |) (| | )
/`\_ _/'\ /'\_ _/`\
\___)=(___/ \___)=(___/
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Iptables efficiency
2003-03-10 18:04 Iptables efficiency Rinse Kloek
2003-03-11 13:13 ` Raymond Leach
@ 2003-03-11 14:31 ` Joel Newkirk
1 sibling, 0 replies; 3+ messages in thread
From: Joel Newkirk @ 2003-03-11 14:31 UTC (permalink / raw)
To: Rinse Kloek, netfilter
On Monday 10 March 2003 01:04 pm, Rinse Kloek wrote:
> We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
> Gigabit interfaces. On the machine we have a lot of iptables rules
> like : all -- 213.134.x.0 0.0.0.0/0
> all -- 0.0.0.0/0 213.134.x.0
> TOS all -- 213.134.x.4 0.0.0.0/0 TOS set 0x08
> all -- 0.0.0.0/0 213.134.x.4
>
> We have about 3200 iptables rules on our bridge. I've tested today to
> remove 1000 of these rules. The load dropped from about 40% to 25%. So
> I think the iptables rule take up the most of the CPU load. Do you
> think this is a problem of ineffeciency of iptables or just a
> 'limitation' in the TCP/IP stack of linux ?
>
> regards Rinse
What is the traffic load like?
What types of matches are you performing? IP and port, TOS, state,
string? Are most of your rules 'test and drop' or 'test and accept', or
are you performing extensive modifications like the TOS set above?
These are big factors in the cost of getting a packet through.
What is the structure of the ruleset? Is it 'flat' where a given packet
could potentially be tested against a large percentage of these rules?
If you haven't done so, try organizing your rules as a tree, using custom
chains. IE, instead of having 2000 rules in a row in FORWARD that test
"-s a.b.c.d" try having rules that test "-s a.b.c.n/24" "-s a.b.d.n/24"
"a.b.e.n/24" etc and jump to user-defined chains, one for each of the
main rules. This will immediately reduce the maximum number of tests
for a given packet from ~2000 to ~260. (max now would be 253 for all
legal values of the last octet, plus the number of rules in the main
chain) You can further reduce by breaking that last octet down into,
say, 16 chains of 16 IPs each, and then your second-level chains will
contain rules that test "-s a.b.c.0/28" "-s a.b.c.16/28" "-s
a.b.c.32/28" etc and jump to even more detailed chains. Now you've
reduced your maximum from ~2000 tests to ~40. (16+16+mainchain - .0 and
.255 only shorten two of these third-level chains)
Has removal of those rules increased the throughput, or just the CPU load
on the bridge?
j
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-03-11 14:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-10 18:04 Iptables efficiency Rinse Kloek
2003-03-11 13:13 ` Raymond Leach
2003-03-11 14:31 ` Joel Newkirk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.