Some questions about using heavy iptables rules in a Linux box ....

Some questions about using heavy iptables rules in a Linux box ....

[hbchen]

Hi,
I have some questions about using heavy iptables rules in a Linux box.
1. Has anyone done a comparison of latency and throughput on traffic 
through an
    Linux node with and without IPtables (using lots of filtering rules)?
2. How much CPU time is spending on iptables (heavy filtering rules)?
3. Any significant impact (latency and throughput) on 10G ethernet link?

Thanks.
HB Chen
hbchen@lanl.gov

Re: Some questions about using heavy iptables rules in a Linux box ....

[John A. Sullivan III]

On Tue, 2006-05-09 at 09:28 -0600, hbchen wrote:
> Hi,
> I have some questions about using heavy iptables rules in a Linux box.
> 1. Has anyone done a comparison of latency and throughput on traffic 
> through an
>     Linux node with and without IPtables (using lots of filtering rules)?
> 2. How much CPU time is spending on iptables (heavy filtering rules)?
> 3. Any significant impact (latency and throughput) on 10G ethernet link?
<snip>
I cannot help you much with measurements but I can relate some
production experiences we have had using the ISCS network security
management project with iptables to implement intra-perimeter security.
In these cases, we needed to deal with massive rule sets (>150,000
rules).  As a result, we are successfully running this installation on
low end, off-the-shelf iptables appliances from CyberGuard (SG series).
Obviously, these are not handling 10Gbps traffic streams!

The ISCS (http://iscs.sourceforge.net) paradigm uses standard iptables
in a slightly different way to reduce the overhead associated with very
large rule sets such as those needed for interior security.  We still
answer the question who has access to what but evaluate who separately
from what.  The result is a modular rather than monolithic rule set.
Instead of needing a separate rule for every possible combination of who
and what, we need a single rule for each who and a single rule for each
what and then mix and match them.

In this particular installation, the 150,000 monolithic rules were
reduced to about 13,000 modular rules.  I suppose we could do much
better if we implemented ipset.  Not only that, but the traversal of the
rules is effectively indexed by "who" thus dramatically improving
performance.  And the entire rule set took only a few hours to
automatically create and distribute using ISCS.

Hopefully, you can use a similar approach to reduce the load and
increase processing efficiency in your environment - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Some questions about using heavy iptables rules in a Linux box ....

[Carl-Daniel Hailfinger]

hbchen wrote:
> Hi,
> I have some questions about using heavy iptables rules in a Linux box.
> 1. Has anyone done a comparison of latency and throughput on traffic
> through an
>    Linux node with and without IPtables (using lots of filtering rules)?
> 2. How much CPU time is spending on iptables (heavy filtering rules)?
> 3. Any significant impact (latency and throughput) on 10G ethernet link?

May I suggest using nf-hipac? It's available at http://www.hipac.org/ .
Especially for thousands of rules, it should be faster than iptables.


Regards,
Carl-Daniel
-- 
http://www.hailfinger.org/