From: Roberto Nibali <ratz@tac.ch>
To: KOVACS Krisztian <hidden@balabit.hu>
Cc: tady@gmx.net, netfilter-devel@lists.netfilter.org
Subject: Re: to solve the performance problem of netfilter
Date: Wed, 17 Dec 2003 18:01:45 +0100 [thread overview]
Message-ID: <3FE08BF9.8060404@tac.ch> (raw)
In-Reply-To: <1071676553.1058.48.camel@nienna.balabit>
Hello,
> Jozsef Kadlecsik has also done some benchmarking of ip_conntrack in a
> Gigabit environment. The slides of his presentation prepared for the
> Netfilter Workshop held in Budapest can be found at
>
> http://www.netfilter.org/~kadlec/workshop-2003-budapest/benchmark.sxi
Thank you very much for the pointer. Highly interesting, indeed. I was going to
check out what happened during that workshop one of these days ;).
> It contains tuning tips also, and is very interesting indeed.
From a quick skimming over the slides I get the impression that due to
excessive tweaking of certain variables in the proc-fs a possible discussion of
his results is highly difficult. Some of the graphs looked extremely suspicious
due to their sharp and steep curves. I'll have to invest some time into his
findings. But his tests are indeed extremely interesting.
> However,
> I'd like to see NAT benchmarks as well. Jozsef mentioned that NAT
> performance is horrible compared to conntrack,
Aehhm, cough, NAT compared to conntrack??
> and it would be really
> useful if bottlenecks could be identified. Would an OProfile benchmark
> be useful?
When I did my high speed packet filtering tests with huge numbers of rules I
used OProfile to measure L1 -> L2 transitions and TLB miss rates dependent on
the amount of rules netfilter has to match against.
I am not sure OProfile helps in identifying the issues which are at work when
using conntrack, NAT and Gbit networks. I suspect certain performance penalties
due to the size of the conntrack (-slabs), the bucket size, the functions which
parse the table and bad hardware ;).
My first try would be to readprofile the packet filter kernel and get some
information from therein and then continue to isolate the culprit(s).
BTW, if you need fast NAT, use iproute2: ip rule add nat ...
Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
next prev parent reply other threads:[~2003-12-17 17:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-17 10:57 to solve the performance problem of netfilter tady
2003-12-17 15:27 ` Roberto Nibali
2003-12-17 15:55 ` KOVACS Krisztian
2003-12-17 17:01 ` Roberto Nibali [this message]
2003-12-17 17:09 ` Henrik Nordstrom
2003-12-18 12:02 ` Jozsef Kadlecsik
-- strict thread matches above, loose matches on Subject: below --
2003-12-17 2:29 zhengchuanbo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3FE08BF9.8060404@tac.ch \
--to=ratz@tac.ch \
--cc=hidden@balabit.hu \
--cc=netfilter-devel@lists.netfilter.org \
--cc=tady@gmx.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.