TIMEBLOCK and performance

TIMEBLOCK and performance

[caster]

[-- Attachment #1.1: Type: text/plain, Size: 1839 bytes --]

Thanks to reply my question.

 

Sorry to make a trivial question on the nefilter-dev board.

But, I just try to make a initiative that meets  both performance of netfilter and 

Solving problem of immidate apply of reject rule for currently using session.

 

If ACCEPT rule about Established session on the top of forward chain in iptables is not there 

, and 5 thousands of rule with timeblock is resided before ACCEPT rule about Establsihed session 

 

think. 

 

How many CPU cycle is consumed for the packet which do not match timeblock rule before Establish one?

What happens If there is 500Mbit/s flow with 64bytes in there .

 

I test netfilter firewall with gigabit NIC in my school. And I think that netfilter should be modified to support full-duplex

1 gigabit flow with 64 bytes.( I hope) 

 

My linux box is dual Xeon with 2giga ram. But it¡¯s performance in gigabit environment is not good. And

What do not happen in100M environment occurs like ULOG and LOG problem.

 

so, I want to put the Established-state accepting rule on the top of  FORWARD chain . 

 

and to solve the problem of immidate apply of reject rule for currently using session when Established-state accepting rule

is on the top of FORWARD chain , 

I try to reestimate the session in particular moment. 

 

It Reads the conntrack entry in hash and redo do_iptables() in FORWARD chain except state-matching rule.

And if existing session can¡¯t pass the chain , run their timer fuction and destroy it.

 

Do You think that it works correctly?

 

And one more Question.

I just wanna improve performance of netfilter in gigabit environment.

What do you think netfilter¡¯s bottleneck is?

And which part of kernel is modified to optimize performance?

 

wizard







[-- Attachment #1.2: Type: text/html, Size: 2312 bytes --]

TIMEBLOCK and performance

[caster]

[-- Attachment #1.1: Type: text/plain, Size: 2007 bytes --]

 
> Thanks to reply my question.
> 
>  
> 
> Sorry to make a trivial question on the nefilter-dev board.
> 
> But, I just try to make a initiative that meets  both performance of netfilter and 
> 
> Solving problem of immidate apply of reject rule for currently using session.
> 
>  
> 
> If ACCEPT rule about Established session on the top of forward chain in iptables is not there 
> 
> , and 5 thousands of rule with timeblock is resided before ACCEPT rule about Establsihed session 
> 
>  
> 
> think. 
> 
>  
> 
> How many CPU cycle is consumed for the packet which do not match timeblock rule before Establish one?
> 
> What happens If there is 500Mbit/s flow with 64bytes in there .
> 
>  
> 
> I test netfilter firewall with gigabit NIC in my school. And I think that netfilter should be modified to support full-duplex
> 
> 1 gigabit flow with 64 bytes.( I hope) 
> 
>  
> 
> My linux box is dual Xeon with 2giga ram. But it¡¯s performance in gigabit environment is not good. And
> 
> What do not happen in100M environment occurs like ULOG and LOG problem.
> 
>  
> 
> so, I want to put the Established-state accepting rule on the top of  FORWARD chain . 
> 
>  
> 
> and to solve the problem of immidate apply of reject rule for currently using session when Established-state accepting rule
> 
> is on the top of FORWARD chain , 
> 
> I try to reestimate the session in particular moment. 
> 
>  
> 
> It Reads the conntrack entry in hash and redo do_iptables() in FORWARD chain except state-matching rule.
> 
> And if existing session can¡¯t pass the chain , run their timer fuction and destroy it.
> 
>  
> 
> Do You think that it works correctly?
> 
>  
> 
> And one more Question.
> 
> I just wanna improve performance of netfilter in gigabit environment.
> 
> What do you think netfilter¡¯s bottleneck is?
> 
> And which part of kernel is modified to optimize performance?
> 
>  
> 
> wizard
> 
> 
> 
> 
> 
> 



[-- Attachment #1.2: Type: text/html, Size: 2486 bytes --]

[-- Attachment #2: Type: message/rfc822, Size: 6309 bytes --]

[-- Attachment #2.1.1.1: Type: text/plain, Size: 1839 bytes --]

Thanks to reply my question.

 

Sorry to make a trivial question on the nefilter-dev board.

But, I just try to make a initiative that meets  both performance of netfilter and 

Solving problem of immidate apply of reject rule for currently using session.

 

If ACCEPT rule about Established session on the top of forward chain in iptables is not there 

, and 5 thousands of rule with timeblock is resided before ACCEPT rule about Establsihed session 

 

think. 

 

How many CPU cycle is consumed for the packet which do not match timeblock rule before Establish one?

What happens If there is 500Mbit/s flow with 64bytes in there .

 

I test netfilter firewall with gigabit NIC in my school. And I think that netfilter should be modified to support full-duplex

1 gigabit flow with 64 bytes.( I hope) 

 

My linux box is dual Xeon with 2giga ram. But it¡¯s performance in gigabit environment is not good. And

What do not happen in100M environment occurs like ULOG and LOG problem.

 

so, I want to put the Established-state accepting rule on the top of  FORWARD chain . 

 

and to solve the problem of immidate apply of reject rule for currently using session when Established-state accepting rule

is on the top of FORWARD chain , 

I try to reestimate the session in particular moment. 

 

It Reads the conntrack entry in hash and redo do_iptables() in FORWARD chain except state-matching rule.

And if existing session can¡¯t pass the chain , run their timer fuction and destroy it.

 

Do You think that it works correctly?

 

And one more Question.

I just wanna improve performance of netfilter in gigabit environment.

What do you think netfilter¡¯s bottleneck is?

And which part of kernel is modified to optimize performance?

 

wizard







[-- Attachment #2.1.1.2: Type: text/html, Size: 2162 bytes --]