[LARTC] Bandwith limitation

[LARTC] Bandwith limitation

[Rinse Kloek]

We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits Gigabit
interfaces. On the machine we have a lot of iptables rules like :
           all  --  213.134.225.0        0.0.0.0/0
           all  --  0.0.0.0/0            213.134.225.0
TOS    all  --  213.134.225.4        0.0.0.0/0          TOS set 0x08
           all  --  0.0.0.0/0            213.134.225.4

Currently in the peak hours we have about 40 Megabit traffic. Also in this
peak hours we have a CPU load of about 70%. What is the main reason of this
CPU load, is it the high traffic or the iptables rules on the machine. And
if the iptables rules are the reaseon of the high CPU load, does TOS
mangling use much CPU?

Kindly regards,

Rinse Kloek  -  Solcon Internetdiensten B.V.
www.solcon.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Bandwith limitation

[Stef Coene]

On Monday 10 March 2003 09:41, Rinse Kloek wrote:
> We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
> Gigabit interfaces. On the machine we have a lot of iptables rules like :
>            all  --  213.134.225.0        0.0.0.0/0
>            all  --  0.0.0.0/0            213.134.225.0
> TOS    all  --  213.134.225.4        0.0.0.0/0          TOS set 0x08
>            all  --  0.0.0.0/0            213.134.225.4
>
> Currently in the peak hours we have about 40 Megabit traffic. Also in this
> peak hours we have a CPU load of about 70%. What is the main reason of this
> CPU load, is it the high traffic or the iptables rules on the machine. And
> if the iptables rules are the reaseon of the high CPU load, does TOS
> mangling use much CPU?
I'm not sure, but I think the high traffic is the problem.  And for iptables, 
I thinkg changing something (TOS or DNAT/SNAT) is the most CPU intensive.
Maybe you can try to rearrange the iptables rules so the most matched rules 
are in the beginning of your firewall script.

Maybe you can create a test setup so you can generate 40 Megabit traffic on a 
test bridge without iptables rules to see what the CPU does.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Bandwith limitation

[Rinse Kloek]

> On Monday 10 March 2003 09:41, Rinse Kloek wrote:
> > We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
> > Gigabit interfaces. On the machine we have a lot of iptables rules like
:
> >            all  --  213.134.225.0        0.0.0.0/0
> >            all  --  0.0.0.0/0            213.134.225.0
> > TOS    all  --  213.134.225.4        0.0.0.0/0          TOS set 0x08
> >            all  --  0.0.0.0/0            213.134.225.4
> >
> > Currently in the peak hours we have about 40 Megabit traffic. Also in
this
> > peak hours we have a CPU load of about 70%. What is the main reason of
this
> > CPU load, is it the high traffic or the iptables rules on the machine.
And
> > if the iptables rules are the reaseon of the high CPU load, does TOS
> > mangling use much CPU?
> I'm not sure, but I think the high traffic is the problem.  And for
iptables,
> I thinkg changing something (TOS or DNAT/SNAT) is the most CPU intensive.
> Maybe you can try to rearrange the iptables rules so the most matched
rules
> are in the beginning of your firewall script.
>
> Maybe you can create a test setup so you can generate 40 Megabit traffic
on a
> test bridge without iptables rules to see what the CPU does.
>
> Stef
>
> --
>
Stef,

We have about 3200 iptables rules on our bridge. I've tested today to remove
1000 of these rules. The load dropped from about 40% to 25%. So I think the
iptables rule take up the most of the CPU load. Do you think this is a
problem of ineffeciency of iptables or just a 'limitation' in the TCP/IP
stack of linux ?

regards Rinse

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Bandwith limitation

[Stef Coene]

> Stef,
>
> We have about 3200 iptables rules on our bridge. I've tested today to
> remove 1000 of these rules. The load dropped from about 40% to 25%. So I
> think the iptables rule take up the most of the CPU load. Do you think this
> is a problem of ineffeciency of iptables or just a 'limitation' in the
> TCP/IP stack of linux ?
I don't think it's a limitation.  I think you reached the point where you need 
a bigger machine :)
Maybe you can try to iptables mailing list to find more info about the 
performance you can expect :
 http://lists.netfilter.org/mailman/listinfo/netfilter

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Bandwith limitation

[Evgeni Gechev]

Stef Coene wrote:

> > Stef,
> >
> > We have about 3200 iptables rules on our bridge. I've tested today to
> > remove 1000 of these rules. The load dropped from about 40% to 25%. So I
> > think the iptables rule take up the most of the CPU load. Do you think this
> > is a problem of ineffeciency of iptables or just a 'limitation' in the
> > TCP/IP stack of linux ?
> I don't think it's a limitation.  I think you reached the point where you need
> a bigger machine :)

Some topic-related observations:
AMD Athlon XP1700+ (1466), 4xRealtek8139, 5-6Mbit/s - nearly reaching the limit
of machine capabalities
P4 2000, 3com905C+BROADCOM BCM5701, 40-50Mbit/s - far better behavior
Same configuration on both, thousands of iptables rules, and on the p4 machine
there are 200-250 concurrent pppoe sessions (none on the athlon)

>
> Maybe you can try to iptables mailing list to find more info about the
> performance you can expect :
>  http://lists.netfilter.org/mailman/listinfo/netfilter
>
> Stef
>
> --
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Bandwith limitation

[Raúl Alexis Betancort Santana]

[-- Attachment #1: Type: text/plain, Size: 1319 bytes --]

El Mon, Mar 10, 2003 at 08:42:06PM +0200, Evgeni Gechev escribió:
> 
> Some topic-related observations:
> AMD Athlon XP1700+ (1466), 4xRealtek8139, 5-6Mbit/s - nearly reaching the limit
> of machine capabalities

 Change the 4 Realtek by 4 REAL nics, as the kernel driver of the
realtek cards sais ... "... Realtek redefine the concept of low end
hardware with this chipset ..."

> P4 2000, 3com905C+BROADCOM BCM5701, 40-50Mbit/s - far better behavior
> Same configuration on both, thousands of iptables rules, and on the p4 machine
> there are 200-250 concurrent pppoe sessions (none on the athlon)

 I think is not a matter of the hardware (CPU/Mem I mean), but a matter of having good
nics, good switches, and a very good planed and inplemented network
struture. If you want good performance, a tunning over the kernel
network related parameters would be good too.

Best regards

-- 
   _                                                                   _        
  // Raúl A. Betancort Santana    /> A Dream is an answer to      __   \\       
 // <rabs@dimension-virtual.com> // question that we don't know  (oo)   \\      
// Dimensión Virtual S.L.       //  how to ask.                 / \/ \  //      
\> A Linux Solution Provider   </                               `V__V' </       

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]