Re: IP Accounting and performance

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael <mutk@iprimus.com.au>
To: IPtables Users <netfilter@lists.samba.org>
Subject: Re: IP Accounting and performance
Date: Mon, 09 Dec 2002 10:13:22 +1000	[thread overview]
Message-ID: <3DF3E022.50203@iprimus.com.au> (raw)
In-Reply-To: AB18D92A-0AF2-11D7-96A2-00039376F59E@gerry.de

Gerald Galster wrote:
> Hi all,
> 
> Perhaps you can give me some hints on a performance problem that I'm
> currently experiencing with iptables.
> 
> The situation is as follows:
> 
> I have a firewall currently running kernel 2.4.20, Celeron 1 GHz and 512 
> MB of RAM
> that should do traffic accounting based on single IP addresses. I 
> thought it would be more
> efficient to use iptables than writing a standalone application using 
> pcap or the like.
> 
> I need to add filtering rules like
> 
> /sbin/iptables -A FORWARD -o eth0 -s ip_address/32
> /sbin/iptables -A FORWARD -i eth0 -d ip_address/32
> 
> for about six class-C networks (this means about 3000 iptables rules).
> 
> The average throughput is around 3 Mbits / second.
> 
> After I've added those rules, the latency in ping times to a machine behind
> the firewall increases from 30 ms to over 200 ms ...
> 
> Now my question is if I can speed those things up ... do you have any 
> ideas?
> 
> Thanks in advance.
> 
> Regards,
> Gerald
> 
> 
> 

Hmm. Exactly what this site says will happen: http://www.hipac.org/ 
(See the performance tests)

As far as I know, you will not be able to overcome the limitations 
that iptables has with large rulesets. You can minimise the effect 
with carefull design , but once you have that many rules, iptables 
inevitably grinds to a halt.

nf-hipac does not currently have byte and packet counters 
unfortunately. It has occured to me many times that the most likely 
situation in which large rulesets are needed is when per IP accounting 
is being done, yet nf-hipac does not yet have counters..

Cheers,
Michael

next prev parent reply	other threads:[~2002-12-09  0:13 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-08 21:18 IP Accounting and performance Gerald Galster
2002-12-09  0:13 ` Michael [this message]
2002-12-09 10:53 ` Leonardo Rodrigues ( listas )
2002-12-09 15:21 ` Joel Newkirk
2002-12-10 14:18   ` Gerald Galster

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3DF3E022.50203@iprimus.com.au \
    --to=mutk@iprimus.com.au \
    --cc=netfilter@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.