Re: Best qdisc for interfaces of a firewall?

[Dennis Jacobfeuerborn <dennisml@conversis.de>]

On 10.11.2014 19:04, Dave Taht wrote:
> Several notes on this thread:
> 
> 1) Inefficient firewall rules are a common, and it is often possible
> to seriously optimize them. Find a place to post them so others can
> take a look.
> 
> But a huge problem on devices with offloads is that the first iptables
> rule you insert costs quite a lot if it causes offloads to be
> disabled.

The rules are reasonably efficient. Its the standard EdgeOS zone
configuration where traffic is routed into a chain based on the output
interface and from there into a chain based on the incoming interface.
There the first rule is to accept all related and established traffic
followed by the "real" rules that allow specific traffic based on
addresses, ports and ipsets.

There are some standard Vyatta hook chains involved that are empty but
if these decimate the packet throughput this much then no optimization
can bring the processing to acceptable levels.

> 2) fq_codel is very efficient and rarely shows up as a significant
> fraction of cpu - other overheads (like firewall rules and HTB)
> dominate. If you are trying to push more than 60Mbit through HTB + any
> qdisc on the edgerouter lite we hit problems.
> 
> 3) We (meaning cerowrt and openwrt and many others) worked very hard
> on making 3.10.12 and later the best possible kernel for routers we
> could make, and I do hope that the latest 1.6 edgerouter release
> proves stabler and faster than the last. But see points 1 and 2.

I've been thinking about using 3.16 on the new box since 3.15 apparently
brought some scalability improvements for connection tracking and 3.16
is going to be supported by Ubuntu at least into 2016 makeing it
effectively a long-term supported kernel.

> 4) At this point in time I am intensely frustrated with all the
> hardware offloading based products. In every case they work just fine
> in benchmarks, but often fall appallingly short of their rated specs
> when some more real-world configuration is used. And furthermore, the
> chipmakers with their "secret sauce" in their firmware are generally
> unwilling to open that up so that it could be improved to match the
> requirements of the real world.

That has been my experience as well and it is indeed extremely frustrating.
Since the trouble with the EdgeRouter Pro was causing serious issues I
replaced it with a regular System we had lying around with 8 cores and
multiqueue capable network interfaces. I performed some basic
optimizations like irq affinity and XPS assignment and imported the
ipsets and iptables rules from the EdgeRouter without any changes. At
peak times the cpu utilization shows each core 98-99% idle.

Regards,
  Dennis