* Iptables efficiency
@ 2003-03-10 18:04 Rinse Kloek
2003-03-11 13:13 ` Raymond Leach
2003-03-11 14:31 ` Joel Newkirk
0 siblings, 2 replies; 3+ messages in thread
From: Rinse Kloek @ 2003-03-10 18:04 UTC (permalink / raw)
To: netfilter
We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
Gigabit interfaces. On the machine we have a lot of iptables rules like :
all -- 213.134.x.0 0.0.0.0/0
all -- 0.0.0.0/0 213.134.x.0
TOS all -- 213.134.x.4 0.0.0.0/0 TOS set 0x08
all -- 0.0.0.0/0 213.134.x.4
We have about 3200 iptables rules on our bridge. I've tested today to
remove 1000 of these rules. The load dropped from about 40% to 25%. So I
think the iptables rule take up the most of the CPU load. Do you think this
is a problem of ineffeciency of iptables or just a 'limitation' in the
TCP/IP stack of linux ?
regards Rinse
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Iptables efficiency 2003-03-10 18:04 Iptables efficiency Rinse Kloek @ 2003-03-11 13:13 ` Raymond Leach 2003-03-11 14:31 ` Joel Newkirk 1 sibling, 0 replies; 3+ messages in thread From: Raymond Leach @ 2003-03-11 13:13 UTC (permalink / raw) To: Netfilter Mailing List [-- Attachment #1: Type: text/plain, Size: 1688 bytes --] On Mon, 2003-03-10 at 20:04, Rinse Kloek wrote: > We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits > Gigabit interfaces. On the machine we have a lot of iptables rules like : > all -- 213.134.x.0 0.0.0.0/0 > all -- 0.0.0.0/0 213.134.x.0 > TOS all -- 213.134.x.4 0.0.0.0/0 TOS set 0x08 > all -- 0.0.0.0/0 213.134.x.4 > > We have about 3200 iptables rules on our bridge. I've tested today to > remove 1000 of these rules. The load dropped from about 40% to 25%. So I > think the iptables rule take up the most of the CPU load. Do you think this > is a problem of ineffeciency of iptables or just a 'limitation' in the > TCP/IP stack of linux ? > Probably the packet parser having a hard time trying to make sense of that many rules ... > regards Rinse -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ( Raymond Leach ) ) Knowledge Factory ( ( ) ) Tel: +27 11 445 8100 ( ( Fax: +27 11 445 8101 ) ) ( ( http://www.knowledgefactory.co.za/ ) ) http://www.saptg.co.za/ ( ( http://www.mapnet.co.za/ ) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o o o o .--. .--. | o_o| |o_o | | \_:| |:_/ | / / \\ // \ \ ( | |) (| | ) /`\_ _/'\ /'\_ _/`\ \___)=(___/ \___)=(___/ [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Iptables efficiency 2003-03-10 18:04 Iptables efficiency Rinse Kloek 2003-03-11 13:13 ` Raymond Leach @ 2003-03-11 14:31 ` Joel Newkirk 1 sibling, 0 replies; 3+ messages in thread From: Joel Newkirk @ 2003-03-11 14:31 UTC (permalink / raw) To: Rinse Kloek, netfilter On Monday 10 March 2003 01:04 pm, Rinse Kloek wrote: > We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits > Gigabit interfaces. On the machine we have a lot of iptables rules > like : all -- 213.134.x.0 0.0.0.0/0 > all -- 0.0.0.0/0 213.134.x.0 > TOS all -- 213.134.x.4 0.0.0.0/0 TOS set 0x08 > all -- 0.0.0.0/0 213.134.x.4 > > We have about 3200 iptables rules on our bridge. I've tested today to > remove 1000 of these rules. The load dropped from about 40% to 25%. So > I think the iptables rule take up the most of the CPU load. Do you > think this is a problem of ineffeciency of iptables or just a > 'limitation' in the TCP/IP stack of linux ? > > regards Rinse What is the traffic load like? What types of matches are you performing? IP and port, TOS, state, string? Are most of your rules 'test and drop' or 'test and accept', or are you performing extensive modifications like the TOS set above? These are big factors in the cost of getting a packet through. What is the structure of the ruleset? Is it 'flat' where a given packet could potentially be tested against a large percentage of these rules? If you haven't done so, try organizing your rules as a tree, using custom chains. IE, instead of having 2000 rules in a row in FORWARD that test "-s a.b.c.d" try having rules that test "-s a.b.c.n/24" "-s a.b.d.n/24" "a.b.e.n/24" etc and jump to user-defined chains, one for each of the main rules. This will immediately reduce the maximum number of tests for a given packet from ~2000 to ~260. (max now would be 253 for all legal values of the last octet, plus the number of rules in the main chain) You can further reduce by breaking that last octet down into, say, 16 chains of 16 IPs each, and then your second-level chains will contain rules that test "-s a.b.c.0/28" "-s a.b.c.16/28" "-s a.b.c.32/28" etc and jump to even more detailed chains. Now you've reduced your maximum from ~2000 tests to ~40. (16+16+mainchain - .0 and .255 only shorten two of these third-level chains) Has removal of those rules increased the throughput, or just the CPU load on the bridge? j ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-03-11 14:31 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-03-10 18:04 Iptables efficiency Rinse Kloek 2003-03-11 13:13 ` Raymond Leach 2003-03-11 14:31 ` Joel Newkirk
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.