How to measure CPU usage of netfilter

How to measure CPU usage of netfilter

[Mohammad Farooq]

Hi Guys,
   
  I have about 1000 rules in the iptables. All these rules just forward 
the incoming traffic to other systems. I am trying to measure CPU usage 
of the netfilter. I tried to measure with top command but some how it 
always shows that CPU is 95% idle. I am not sure if top is the 
appropriate command to measure CPU usage of the netfilter. Since all the 
filtering is happening inside the kernel there should be some other command to 
measure kernel's CPU usage. I would appreciate if someone can point to 
the right direction. Thanks.
   
  mf

Re: How to measure CPU usage of netfilter

[Mike Williams]

On Tuesday 21 November 2006 00:40, Mohammad Farooq wrote:
> Hi Guys,
>
>   I have about 1000 rules in the iptables. All these rules just forward
> the incoming traffic to other systems. I am trying to measure CPU usage
> of the netfilter. I tried to measure with top command but some how it
> always shows that CPU is 95% idle. I am not sure if top is the
> appropriate command to measure CPU usage of the netfilter. Since all the
> filtering is happening inside the kernel there should be some other command
> to measure kernel's CPU usage. I would appreciate if someone can point to
> the right direction. Thanks.

While I don't know if there is a "right way", 5% is probably about right, even 
taking into account the top overhead.
I have a fairly complex iptable setup on a PIII 800 pushing over 40Mbps of 
mostly web traffic, NATting it to a varity of webservers on 2 different 
physical networks. Conntrack gets upto and over 60000. The busiest webserver 
handles in excess of 300 requests a second coming through the firewall.
We've just passed peak usage and the CPU usage averaged a little over 20% over 
the period, according to the nice rrdtool graphs cacti generates for me from 
snmp.

I'm also using ulogd to log dropped packets. CPU usage can average ~40% higher 
if that gets too large, or fills the disk (which it's done a couple times). I 
should turn it off really...

-- 
Mike Williams

-- 
Mike Williams

load balancing multiple isp

[ArioS]

Dear,

anyone have experience bout load balancing on multiple isp ? i have 3 
connection from different isp (A = 64kb , B = 128kb , C = 128kb). howto mix 
these 3 isp into 1 virtually.. so if bw on ISP A is lacked then the 
connection will move to ISP B. currently i did manual route for specific 
network to specific ISP... it really hard to balance it with manual route. 
any clue ? 

Re: load balancing multiple isp

[Taylor, Grant]

ArioS wrote:
> anyone have experience bout load balancing on multiple isp ? i have 3 
> connection from different isp (A = 64kb , B = 128kb , C = 128kb). howto 
> mix these 3 isp into 1 virtually.. so if bw on ISP A is lacked then the 
> connection will move to ISP B. currently i did manual route for specific 
> network to specific ISP... it really hard to balance it with manual 
> route. any clue ?

Look in to the "--next-hop" "ip route" command option.  I think you will 
find what you are looking for in the fact that you can have multiple next hops.

Something to keep in mind is that if you are NATing each ISP connection, you 
can not have a stream migrate from one ISP to another b/c you will break 
connection state on your end, or even if your end could handle it, the 
server you are connecting to would flip out.  From the server's point of 
view, it would be talking to Bob and Bob would stop mid sentence and Tom 
would start where Bob left of with out the ability to correlate what Bob and 
Tom were saying in to one coherent stream.



Grant. . . .

Re: How to measure CPU usage of netfilter

[Yakov Lerner]

On 11/21/06, Mohammad Farooq <mohammadfarooq@tango-networks.com> wrote:
>   I have about 1000 rules in the iptables. All these rules just forward
> the incoming traffic to other systems. I am trying to measure CPU usage
> of the netfilter. I tried to measure with top command but some how it
> always shows that CPU is 95% idle. I am not sure if top is the
> appropriate command to measure CPU usage of the netfilter. Since all the
> filtering is happening inside the kernel there should be some other command to
> measure kernel's CPU usage. I would appreciate if someone can point to
> the right direction. Thanks.

You can try 'cpusoak'  tool from Andrew Morton zc toolset:
    http://www.zipworld.com.au/~akpm/linux/zc.tar.gz
cpusoak which accurately measures cpu consumption by the kernel.

Yakov