Re: netfilter performance on low-end embedded systems

[Alexander Sirotkin <demiurg@metalinkBB.com>]

Robert Iakobashvili wrote:
> Alexander,
>
>
>> From: Alexander Sirotkin <demiurg@metalinkBB.com>
>
>> I'm trying to evaluate the feasibility of using netfilter on low-end
>> embedded processors, such as MIPS 4K or 24K. Basicly what I'm trying to
>> understand is whether we can do 100Bps with netfilter enabled (firewall
>> and NAT) on such a CPU or should we check hardware acceleration 
>> solution.
>>
>> If anybody did any similar benchmarks and can share results (does not
>> have to be on MIPS) or just has any opinion on the subject - I'd be very
>> grateful.
>
> With reference to the low-end arm processors, high traffic is not a
> problem, unless
> you are not using a large number of iptables rules, which traversal by 
> packets
> is linear.
Well, this is not entirely correct.
I started doing some benchmarks myself on MIPS 24K 266MHz which is 
fairly common embedded CPU and the results are not very good. Under 
100Mbps UDP traffic just compiling netfilter increases CPU utilization 
by 20%.

Profiling shows that most time is spent in nf_hook_slow (8%) and 
nf_iterate (7%) functions. I can post more results in case anybody is 
interested to discuss this.
> If you need lots many rules, e.g. hundreds, thousands, etc, consider
> using various
> flavors of ipset, nf-hypac, connection tracking, wise rules 
> arrangement, etc.
>
>
> Sincerely,
> Robert Iakobashvili,
> coroberti %x40 gmail %x2e com
> ...................................................................
> Navigare necesse est, vivere non est necesse
> ...................................................................
> http://sourceforge.net/projects/curl-loader
> A powerful open-source HTTP/S, FTP/S traffic
> generating, loading and testing tool.


-- 
Alexander Sirotkin

System Engineer
System Architecture Group

Metalink Broadband Ltd.

Phone:   +972-9-9605360
Fax:     +972-9-9605344
Mobile: +972-54-4959034


-- Disclaimer: --
This e-mail is intended solely for the person to whom it is addressed and may contain confidential or legally privileged information. Access to this e-mail by anyone else is unauthorized. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and destroy this e-mail and any attachments.
E-mail may be susceptible to data corruption, interception, unauthorized amendment, viruses and delays or the consequences thereof. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited.