linux/iptables + smp question

linux/iptables + smp question

[Juan Pablo Abuyeres]

Hi guys,

I've been using an old single processor / linux 2.4 iptables based 
firewall for a few years.

Now it's time to upgrade that machine, so, I am wondering, would it be 
of real benefit if I put a two-processor system for a firewall? This 
machine is going to have 4 NICs, it's going to make routing (lots of 
routes), and firewall (iptables). I don't know if these kind of tasks 
take advantage from a multiple-processor architecture. Please enlighten 
me :)

Thank you!

Re: linux/iptables + smp question

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1308 bytes --]

On Fri, Apr 28, 2006 at 07:46:13AM -0400, Juan Pablo Abuyeres wrote:
> Hi guys,

Hi, please follow up to the netfilter mailinglist, since this is not a
kernel [development] question.

> I've been using an old single processor / linux 2.4 iptables based firewall for a few years.
>
> Now it's time to upgrade that machine, so, I am wondering, would it be of real benefit if I put a 
> two-processor system for a firewall? This machine is going to have 4 NICs, it's going to make 
> routing (lots of routes), and firewall (iptables). I don't know if these kind of tasks take 
> advantage from a multiple-processor architecture. Please enlighten me :)

some notes:

1) 2.6. network stack scales better on smp
2) iptables and routing both scale very good on smp systems, if you use
   multiple interfaces and distribute the interrupts over multiple cpus
3) connection tracking inherently scales less good on SMP systems

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]