we use a linux router. i just tested the performance of the router. when the kernel is build without netfilter support,the throughput of 64bytes frame is about 45%. when i build the kernel with netfilter (only the ip_filter module),the throughput dropped to 24%, without any rules.
so is there some way to improve the performance? i just want some simple packet filter. is netfilter no so good on the performance compare to ipchains due to the improved functionality?
please cc. thanks.
regards,
zheng chuanbo
[email protected]
On Wed, 24 Jul 2002 21:24:56 +0800
zhengchuanbo <[email protected]> wrote:
>
> we use a linux router. i just tested the performance of the router. when the kernel is build without netfilter support,the throughput of 64bytes frame is about 45%. when i build the kernel with netfilter (only the ip_filter module),the throughput dropped to 24%, without any rules.
> so is there some way to improve the performance? i just want some simple packet filter. is netfilter no so good on the performance compare to ipchains due to the improved functionality?
> please cc. thanks.
There are several stages.
1) CONFIG_NETFILTER=n
2) CONFIG_NETFILTER=y
3) CONFIG_NETFILTER=y CONFIG_IP_NF_TABLES=m, ip_tables.o loaded
4) iptables rules inserted.
Make sure you do not have CONFIG_NETFILTER_DEBUG or CONFIG_IP_NF_CONNTRACK
on!
Rusty.
--
there are those who do and those who hang on and you don't see too
many doers quoting their contemporaries. -- Larry McVoy
On Wed, Jul 24, 2002 at 09:24:56PM +0800, zhengchuanbo wrote:
>
> we use a linux router. i just tested the performance of the router. when the
> kernel is build without netfilter support,the throughput of 64bytes frame is
> about 45%. when i build the kernel with netfilter (only the ip_filter
> module),the throughput dropped to 24%, without any rules.
I assume you are talking about the iptable_filter module?
The loss from 45 to 25 percent sounds reasonable. You add computational
overhead to the codepath for every packet.
That initially you only achieve 45% (of what input packet rate?) indicates that
your system is in severe need of tuning.
Please look through the mailinglist archives to find out about NAPI and
related work.
> [email protected]
--
Live long and prosper
- Harald Welte / [email protected] http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
On Wed, 24 Jul 2002, zhengchuanbo wrote:
>
> we use a linux router. i just tested the performance of the router. when
> the kernel is build without netfilter support,the throughput of 64bytes
> frame is about 45%. when i build the kernel with netfilter (only the
> ip_filter module),the throughput dropped to 24%, without any rules. so
> is there some way to improve the performance? i just want some simple
> packet filter. is netfilter no so good on the performance compare to
> ipchains due to the improved functionality? please cc. thanks.
I'm not sure what you mean by 24%, since you don't say of what. I'm not
sure what you expect, an old Pentium 133 gives me 6-8Mbit on 10Mbit cards,
with a fair number of rules installed. If you are trying to load up Gbit
with a 386-16 or something, it won't work well, but for typical small
office setups Linux routing seems to run about as fast as directly
connected machines on the same subnet, although there is latency going
through the router.
--
bill davidsen <[email protected]>
CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.