Re: [Bugme-new] [Bug 11316] New: severe performance regression for iptables nat routing

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Andrew Morton <akpm@linux-foundation.org>
To: netdev@vger.kernel.org
Cc: bugme-daemon@bugzilla.kernel.org, alex.williamson@hp.com
Subject: Re: [Bugme-new] [Bug 11316] New: severe performance regression for iptables nat routing
Date: Tue, 12 Aug 2008 22:12:04 -0700	[thread overview]
Message-ID: <20080812221204.46afb4a6.akpm@linux-foundation.org> (raw)
In-Reply-To: <bug-11316-10286@http.bugzilla.kernel.org/>


(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Tue, 12 Aug 2008 22:04:41 -0700 (PDT) bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=11316
> 
>            Summary: severe performance regression for iptables nat routing
>            Product: Networking
>            Version: 2.5
>      KernelVersion: 2.6.27-rc3
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: high
>           Priority: P1
>          Component: Netfilter/Iptables
>         AssignedTo: networking_netfilter-iptables@kernel-bugs.osdl.org
>         ReportedBy: alex.williamson@hp.com
> 
> 
> Latest working kernel version: 2.6.26.2
> Earliest failing kernel version: 2.6.27-rc2 (maybe earlier)
> Distribution: Ubuntu
> Hardware Environment: x86_64
> Software Environment: 32bit userspace/64bit kernel
> Problem Description: When using iptables to intercept addr:port and reroute
> through an ssh tunnel, I see a huge performance hit on the 2.6.27-rc series
> relative to 2.6.26 (34KB/s vs 1+MB/s).
> 
> Steps to reproduce:
> 
> Setup and ssh tunnel to one of the kernel.org servers using a system on your
> local network:
> 
> ssh -L 8888:204.152.191.37:80 <local system>
> 
> Leave the ssh session running.  In a new terminal (on your local system),
> verify performance of direct access versus the tunnel:
> 
> wget -O /dev/null
> http://204.152.191.37/pub/linux/kernel/v2.6/linux-2.6.26.2.tar.bz2
> wget -O /dev/null
> http://127.0.0.1:8888/pub/linux/kernel/v2.6/linux-2.6.26.2.tar.bz2
> 
> These should be roughly the same.  Now setup iptables so that when you try to
> access 204.152.191.37:80 you'll automatically be redirected to the ssh tunnel:
> 
> sudo iptables -t nat -N bug
> sudo iptables -t nat -I OUTPUT 1 -j bug
> sudo iptables -t nat -A bug -d 204.152.191.37 -p tcp --dport 80 -j DNAT
> --to-destination 127.0.0.1:8888
> 
> Repeat the performance test:
> 
> wget -O /dev/null
> http://204.152.191.37/pub/linux/kernel/v2.6/linux-2.6.26.2.tar.bz2
> wget -O /dev/null
> http://127.0.0.1:8888/pub/linux/kernel/v2.6/linux-2.6.26.2.tar.bz2
> 
> On 2.6.27-rc2+ My rate quickly drops down to ~34KB/s using the iptables nat'd
> wget (204.152.191.37) while the ssh tunnel still runs 1+MB/s.  On 2.6.26 I get
> similar performance for both paths.
>

next      parent reply	other threads:[~2008-08-13  5:12 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <bug-11316-10286@http.bugzilla.kernel.org/>
2008-08-13  5:12 ` Andrew Morton [this message]
2008-08-14  2:08   ` [Bugme-new] [Bug 11316] New: severe performance regression for iptables nat routing Alex Williamson
2008-08-14  2:21     ` David Miller
2008-08-14 11:04       ` Patrick McHardy
2008-08-14 15:08         ` Alex Williamson
2008-08-15  4:44           ` Herbert Xu
2008-08-15  5:35             ` Herbert Xu
2008-08-15  5:49               ` Alex Williamson
2008-08-15  6:17                 ` Herbert Xu
2008-08-15 21:56               ` David Miller
     [not found]             ` <1218778238.23510.22.camel@2710p.home>
2008-08-15  7:33               ` Herbert Xu
2008-08-15  8:14                 ` Herbert Xu
2008-08-15 10:32                   ` Herbert Xu
2008-08-15 10:53                     ` Herbert Xu
2008-08-15 15:34                       ` Alex Williamson
2008-08-15 21:55                         ` David Miller
2008-08-15 21:55                       ` David Miller
2008-08-15 20:58                     ` David Miller
2008-08-16  0:25                       ` Herbert Xu
2008-08-15 21:54                     ` David Miller
2008-08-14 22:00         ` David Miller
2008-08-15  4:34       ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080812221204.46afb4a6.akpm@linux-foundation.org \
    --to=akpm@linux-foundation.org \
    --cc=alex.williamson@hp.com \
    --cc=bugme-daemon@bugzilla.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).