NFQUEUE in bridge mode performance poor in the last kernels

NFQUEUE in bridge mode performance poor in the last kernels

[tingwei liu]

In the past few days, I have puzzled by NFQUEUE in bridge mode.
I have take some test with five kernels.
2.6.24.4
2.6.36.4
2.6.38
3.0.8
3.1.10

The result is : 2.6.24.4,2.6.26.4,2.6.38 have a goog performance;
3.0.8 and 3.1.10 have a poor performance.
Next is copy from suricata maillist( eric@regit.org )

I'm having a look at it. There has been some changes between the two
kernel versions (bringing more performances) but it seems there is some
side effects with bridge.
Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: NFQUEUE in bridge mode performance poor in the last kernels

[Eric Dumazet]

Le mardi 06 mars 2012 à 10:05 +0800, tingwei liu a écrit :
> In the past few days, I have puzzled by NFQUEUE in bridge mode.
> I have take some test with five kernels.
> 2.6.24.4
> 2.6.36.4
> 2.6.38
> 3.0.8
> 3.1.10
> 
> The result is : 2.6.24.4,2.6.26.4,2.6.38 have a goog performance;
> 3.0.8 and 3.1.10 have a poor performance.
> Next is copy from suricata maillist( eric@regit.org )
> 
> I'm having a look at it. There has been some changes between the two
> kernel versions (bringing more performances) but it seems there is some
> side effects with bridge.
> Thanks!

More data is welcomed. What is "good", what is "bad" ?

You dont expect us to magically understand the issue, do you ?

If you want some help, you should give as much information as possible.



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: NFQUEUE in bridge mode performance poor in the last kernels

[Florian Westphal]

tingwei liu <tingw.liu@gmail.com> wrote:
> In the past few days, I have puzzled by NFQUEUE in bridge mode.
> I have take some test with five kernels.
> 2.6.24.4
> 2.6.36.4
> 2.6.38
> 3.0.8
> 3.1.10
> 
> The result is : 2.6.24.4,2.6.26.4,2.6.38 have a goog performance;
> 3.0.8 and 3.1.10 have a poor performance.
> Next is copy from suricata maillist( eric@regit.org )
> 
> I'm having a look at it. There has been some changes between the two
> kernel versions (bringing more performances) but it seems there is some
> side effects with bridge.

Might be the 'gro+nfqueue eats MAC header' problem, you could try
commit a8db7b2d197a0d624baab83f0c810b0edbc4ffd0 (netfilter: nf_queue: fix
queueing of bridged gro skbs). Or, disable gro on all bridge ports via
ethtool -K $device gro off

If its not gro related, please provide more information about your
machine, setup, ... etc.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: NFQUEUE in bridge mode performance poor in the last kernels

[tingwei liu]

On Tue, Mar 6, 2012 at 11:19 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le mardi 06 mars 2012 à 10:05 +0800, tingwei liu a écrit :
>> In the past few days, I have puzzled by NFQUEUE in bridge mode.
>> I have take some test with five kernels.
>> 2.6.24.4
>> 2.6.36.4
>> 2.6.38
>> 3.0.8
>> 3.1.10
>>
>> The result is : 2.6.24.4,2.6.26.4,2.6.38 have a goog performance;
>> 3.0.8 and 3.1.10 have a poor performance.
>> Next is copy from suricata maillist( eric@regit.org )
>>
>> I'm having a look at it. There has been some changes between the two
>> kernel versions (bringing more performances) but it seems there is some
>> side effects with bridge.
>> Thanks!
>
> More data is welcomed. What is "good", what is "bad" ?
>
Sorry for that.
My network is 100Mbps.
"good" means the forward bandwidth almost 100Mbps.
"bad" means the forward bandwidth with nfqueue only 30Mbps.
Thanks for your reply!
> You dont expect us to magically understand the issue, do you ?
>
> If you want some help, you should give as much information as possible.
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: NFQUEUE in bridge mode performance poor in the last kernels

[Eric Dumazet]

On Wed, 2012-03-07 at 08:46 +0800, tingwei liu wrote:
> On Tue, Mar 6, 2012 at 11:19 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> > Le mardi 06 mars 2012 à 10:05 +0800, tingwei liu a écrit :
> >> In the past few days, I have puzzled by NFQUEUE in bridge mode.
> >> I have take some test with five kernels.
> >> 2.6.24.4
> >> 2.6.36.4
> >> 2.6.38
> >> 3.0.8
> >> 3.1.10
> >>
> >> The result is : 2.6.24.4,2.6.26.4,2.6.38 have a goog performance;
> >> 3.0.8 and 3.1.10 have a poor performance.
> >> Next is copy from suricata maillist( eric@regit.org )
> >>
> >> I'm having a look at it. There has been some changes between the two
> >> kernel versions (bringing more performances) but it seems there is some
> >> side effects with bridge.
> >> Thanks!
> >
> > More data is welcomed. What is "good", what is "bad" ?
> >
> Sorry for that.
> My network is 100Mbps.
> "good" means the forward bandwidth almost 100Mbps.
> "bad" means the forward bandwidth with nfqueue only 30Mbps.
> Thanks for your reply!

more info needed... like what kind of network adapter do you use , and
ethtool -k settings, like

ethtool -k eth0


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: NFQUEUE in bridge mode performance poor in the last kernels

[tingwei liu]

On Wed, Mar 7, 2012 at 5:23 AM, Florian Westphal <fw@strlen.de> wrote:
> tingwei liu <tingw.liu@gmail.com> wrote:
>> In the past few days, I have puzzled by NFQUEUE in bridge mode.
>> I have take some test with five kernels.
>> 2.6.24.4
>> 2.6.36.4
>> 2.6.38
>> 3.0.8
>> 3.1.10
>>
>> The result is : 2.6.24.4,2.6.26.4,2.6.38 have a goog performance;
>> 3.0.8 and 3.1.10 have a poor performance.
>> Next is copy from suricata maillist( eric@regit.org )
>>
>> I'm having a look at it. There has been some changes between the two
>> kernel versions (bringing more performances) but it seems there is some
>> side effects with bridge.
>
> Might be the 'gro+nfqueue eats MAC header' problem, you could try
> commit a8db7b2d197a0d624baab83f0c810b0edbc4ffd0 (netfilter: nf_queue: fix
> queueing of bridged gro skbs). Or, disable gro on all bridge ports via
> ethtool -K $device gro off
>
I have test it.You are right.Now it is time to learn why the gro effects it.
Thanks very much.
> If its not gro related, please provide more information about your
> machine, setup, ... etc.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html