Ebtables usage

Ebtables usage

[Jacky Lam]

Hi,

     I am a dummy about network administration. But I currently setup
my Linux box as a switch to forward the packet from eth0 to eth1. But
I find the throughput is not good. It seems the overhead of IP stack
is too high. I want to know if ebtables can allow me to do the job
below IP level? If yes, can anyone show me how to setup up that?
Thanks very much.

Jacky

Re: Ebtables usage

[Pandu Poluan]

Have you set up Linux bridging?

Here's a reasonably complete guide:

http://tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO.html

Rgds,


On 2011-02-15, Jacky Lam <lamshuyin@gmail.com> wrote:
> Hi,
>
>      I am a dummy about network administration. But I currently setup
> my Linux box as a switch to forward the packet from eth0 to eth1. But
> I find the throughput is not good. It seems the overhead of IP stack
> is too high. I want to know if ebtables can allow me to do the job
> below IP level? If yes, can anyone show me how to setup up that?
> Thanks very much.
>
> Jacky
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/

Re: Ebtables usage

[Jacky Lam]

Yes, my config is like this:

    Computer A (10.1.4.1) <-----> (eth0: 10.1.4.5) Linux Switch (eth1:
11.1.4.5) <-------> Computer B (11.1.4.3)

I each ip_forwarding and config the route table of Computer A,B. I get
500Mb/s from iperf while Linux Switch is 100% loaded.
As I know this switching is done in IP level, I want to do the job in
data link layer to get higher throughput/lower CPU usage.

Then I tried the following configuration:

    Computer A (10.1.4.1) <-----> (eth0) Linux Switch (eth1) <------->
Computer B (10.1.4.3)

I tried to setup a bridge like this as some document said:

iptables -t nat -A POSTROUTING -s 10.1.4.0/24 -d 10.1.4.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.4.0/24 -j MASQUERADE

brctl addbr br0
brctl stp br0 off
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig eth0 0 0.0.0.0
ifconfig eth1 0 0.0.0.0
ifconfig br0 10.1.4.5 netmask 255.255.255.0 up

echo '1' > /proc/sys/net/ipv4/ip_forward

But the throughput is only 200Mb/s and my Linux Switch is 100% loaded.
What's wrong with that?


Jacky

On Tue, Feb 15, 2011 at 5:48 PM, Pandu Poluan <pandu@poluan.info> wrote:
> Have you set up Linux bridging?
>
> Here's a reasonably complete guide:
>
> http://tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO.html
>
> Rgds,
>
>
> On 2011-02-15, Jacky Lam <lamshuyin@gmail.com> wrote:
>> Hi,
>>
>>      I am a dummy about network administration. But I currently setup
>> my Linux box as a switch to forward the packet from eth0 to eth1. But
>> I find the throughput is not good. It seems the overhead of IP stack
>> is too high. I want to know if ebtables can allow me to do the job
>> below IP level? If yes, can anyone show me how to setup up that?
>> Thanks very much.
>>
>> Jacky
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
>
> --
> --
> Pandu E Poluan - IT Optimizer
> My website: http://pandu.poluan.info/
>

Re: Ebtables usage

[Pascal Hambourg]

Hello,

Jacky Lam a écrit :
> Yes, my config is like this:
> 
>     Computer A (10.1.4.1) <-----> (eth0: 10.1.4.5) Linux Switch (eth1:
> 11.1.4.5) <-------> Computer B (11.1.4.3)
> 
> I each ip_forwarding and config the route table of Computer A,B. I get
> 500Mb/s from iperf while Linux Switch is 100% loaded.
> As I know this switching is done in IP level,

Your box is set up as a router, not a switch/bridge. Routing is done at
the IP level, and switching/bridging is done at the ethernet level.

> I want to do the job in
> data link layer to get higher throughput/lower CPU usage.

Not sure you'll get higher throughput though. Bridging adds its own
overhead.

> Then I tried the following configuration:
> 
>     Computer A (10.1.4.1) <-----> (eth0) Linux Switch (eth1) <------->
> Computer B (10.1.4.3)
> 
> I tried to setup a bridge like this as some document said:
> 
> iptables -t nat -A POSTROUTING -s 10.1.4.0/24 -d 10.1.4.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -s 10.1.4.0/24 -j MASQUERADE

What do you need these rules for ? They are not needed for pure bridging.

> brctl addbr br0
> brctl stp br0 off
> brctl addif br0 eth0
> brctl addif br0 eth1
> 
> ifconfig eth0 0 0.0.0.0
> ifconfig eth1 0 0.0.0.0

Ok.

> ifconfig br0 10.1.4.5 netmask 255.255.255.0 up
> 
> echo '1' > /proc/sys/net/ipv4/ip_forward

This is IP-related and not required for pure bridging.

> But the throughput is only 200Mb/s and my Linux Switch is 100% loaded.
> What's wrong with that?

It may be the overhead caused by bridge-nf, netfilter, IPv4 conntrack
and iptables.
Try with /proc/sys/net/bridge/bridge-nf-call-iptables set to 0.

You did not explain what you want to do exactly with this box.

Re: Ebtables usage

[Jacky Lam]

I want to share a network service by two computers but I don't have
any extra router or switch, but one computer has 2 ethernet cards and
running Linux. But that computer is old and slow. So I want to know if
I can set up that computer as a ethernet level switch/bridge.

That means I am done right (except the two rules at the beginning) to
setup a ethernet switch? I don't need to setup any rules by iptables
or ebtables?

Thanks for helping.

On Tue, Feb 15, 2011 at 6:47 PM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Jacky Lam a écrit :
>> Yes, my config is like this:
>>
>>     Computer A (10.1.4.1) <-----> (eth0: 10.1.4.5) Linux Switch (eth1:
>> 11.1.4.5) <-------> Computer B (11.1.4.3)
>>
>> I each ip_forwarding and config the route table of Computer A,B. I get
>> 500Mb/s from iperf while Linux Switch is 100% loaded.
>> As I know this switching is done in IP level,
>
> Your box is set up as a router, not a switch/bridge. Routing is done at
> the IP level, and switching/bridging is done at the ethernet level.
>
>> I want to do the job in
>> data link layer to get higher throughput/lower CPU usage.
>
> Not sure you'll get higher throughput though. Bridging adds its own
> overhead.
>
>> Then I tried the following configuration:
>>
>>     Computer A (10.1.4.1) <-----> (eth0) Linux Switch (eth1) <------->
>> Computer B (10.1.4.3)
>>
>> I tried to setup a bridge like this as some document said:
>>
>> iptables -t nat -A POSTROUTING -s 10.1.4.0/24 -d 10.1.4.0/24 -j ACCEPT
>> iptables -t nat -A POSTROUTING -s 10.1.4.0/24 -j MASQUERADE
>
> What do you need these rules for ? They are not needed for pure bridging.
>
>> brctl addbr br0
>> brctl stp br0 off
>> brctl addif br0 eth0
>> brctl addif br0 eth1
>>
>> ifconfig eth0 0 0.0.0.0
>> ifconfig eth1 0 0.0.0.0
>
> Ok.
>
>> ifconfig br0 10.1.4.5 netmask 255.255.255.0 up
>>
>> echo '1' > /proc/sys/net/ipv4/ip_forward
>
> This is IP-related and not required for pure bridging.
>
>> But the throughput is only 200Mb/s and my Linux Switch is 100% loaded.
>> What's wrong with that?
>
> It may be the overhead caused by bridge-nf, netfilter, IPv4 conntrack
> and iptables.
> Try with /proc/sys/net/bridge/bridge-nf-call-iptables set to 0.
>
> You did not explain what you want to do exactly with this box.
>

Re: Ebtables usage

[Pascal Hambourg]

Jacky Lam a écrit :
> I want to share a network service by two computers but I don't have
> any extra router or switch, but one computer has 2 ethernet cards and
> running Linux. But that computer is old and slow. So I want to know if
> I can set up that computer as a ethernet level switch/bridge.

What kind of network service ? Is that service running on the old computer ?
You can set up a computer as an ethernet bridge, but that old computer
may not be fast enough to handle gigabit traffic.

> That means I am done right (except the two rules at the beginning) to
> setup a ethernet switch? I don't need to setup any rules by iptables
> or ebtables?

You need iptables and ebtables rules for IP and ethernet packet
filtering and mangling. You don't need them if the box does only plain
routing or bridging.

Re: Ebtables usage

[Jacky Lam]

On 2/16/2011 4:50 PM, Pascal Hambourg wrote:
> Jacky Lam a écrit :
>> I want to share a network service by two computers but I don't have
>> any extra router or switch, but one computer has 2 ethernet cards and
>> running Linux. But that computer is old and slow. So I want to know if
>> I can set up that computer as a ethernet level switch/bridge.
> What kind of network service ? Is that service running on the old computer ?
> You can set up a computer as an ethernet bridge, but that old computer
> may not be fast enough to handle gigabit traffic.
>
I mean the internet service. Yes, the old computer is very slow. That's 
why I want to lower the overhead while being a switch.
>> That means I am done right (except the two rules at the beginning) to
>> setup a ethernet switch? I don't need to setup any rules by iptables
>> or ebtables?
> You need iptables and ebtables rules for IP and ethernet packet
> filtering and mangling. You don't need them if the box does only plain
> routing or bridging.
>
Thanks.

Re: Ebtables usage

[Pascal Hambourg]

Jacky Lam a écrit :
>>
> I mean the internet service. Yes, the old computer is very slow. That's 
> why I want to lower the overhead while being a switch.

I understand, but the actual system load may be much lower, depending on
the bandwidth of the internet access. I would be surprised if you had
gigabit-grade internet access but could not afford a dumb ethernet switch.