iptables performance

iptables performance

[Bart Duchesne]

Hi,

We are running kernel 2.6.17 and using iptables 1.3.5 and are observing
a performance problem.

We have a netfilter firewall consisting of about 800 Chains and a total
of 10000 rules (iptables -nvL | wc -l).

A single iptables manipulation takes about 4 seconds (on a PIV 2Ghz with
1Gb DDR2 ram).

With the same firewall config (on slower hardware) in a 2.4.24 kernel
with iptables 1.2.9 the single iptables manip takes about 500ms.

I traced the iptables command in 2.6.17 and noticed that the 4 seconds
are actually lost in the setsockopt call to write the BLOB back to the
kernel (BLOB size 2Mb ; 11000 entries).

Does anyone has any idea what might be causing this slowdown ?
Has the kernel interface part changed dramatically between 2.4 and 2.6 ?
Is it correct to say that no traffic will pass through in those 4
seconds that the filter is updated ?


regards,

Bart Duchesne 

--
Visit CeBIT 2007 – March 15-21, 2007 – Messe, Hannover, Germany – Security Hall, Hall 7 Booth C20 and Banking and Finance Hall, Hall 17, Booth A01. For additional information, please visit the event section of VASCO's website http://www.vasco.com/events.

Infosecurity.be / Storage Expo 
Belgium 21 & 22 March 2007 Brussels Kart
http://www.infosecurity.be   http://www.storage-expo.be  http://www.linuxworldexpo.be
 


---------------------------------------------------
aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen

Re: iptables performance

[Martin Schiøtz]

Yes - This looks like the right thing. Thanks :-) 

On 5/25/05, Jason Opperisano <opie@817west.com> wrote:
> On Wed, May 25, 2005 at 07:20:53PM +0000, Martin Schiøtz wrote:
> > Hi
> >
> > I'm planning to set up a bridge running iptables on an uplink of a lot
> > of internet user. The uplink is on maximum at about 30 mbit/s. There
> > are about 1800 * /29 ip nets - some /29 nets needs to be stopped be
> > the bridge and some can pass. I'm wondering about the performance of
> > iptables when having 1800*2 rules worst case (PREROUTING rules on src
> > and dst nets).
> 
> sounds like a job for ipset [1].  if you have 1800 nets that fall into 2
> categories, you'd have 2 rules, 1 for set 1 and 1 for set 2.  depending
> how the nets break down on CIDR boundaries, you could auto-summarize the
> nets that have the same rules to be applied to them.
> 
> -j
> 
> [1] - http://people.netfilter.org/kadlec/ipset/
> 
> --
> "Quagmire: Don't look at me like that. Fat chicks need love too... but
>  they got to pay."
>         --Family Guy
> 
>

Re: iptables performance

[Jason Opperisano]

On Wed, May 25, 2005 at 07:20:53PM +0000, Martin Schiøtz wrote:
> Hi 
> 
> I'm planning to set up a bridge running iptables on an uplink of a lot
> of internet user. The uplink is on maximum at about 30 mbit/s. There
> are about 1800 * /29 ip nets - some /29 nets needs to be stopped be
> the bridge and some can pass. I'm wondering about the performance of
> iptables when having 1800*2 rules worst case (PREROUTING rules on src
> and dst nets).

sounds like a job for ipset [1].  if you have 1800 nets that fall into 2
categories, you'd have 2 rules, 1 for set 1 and 1 for set 2.  depending
how the nets break down on CIDR boundaries, you could auto-summarize the
nets that have the same rules to be applied to them.

-j

[1] - http://people.netfilter.org/kadlec/ipset/

--
"Quagmire: Don't look at me like that. Fat chicks need love too... but
 they got to pay."
        --Family Guy

iptables performance

[Martin Schiøtz]

Hi 

I'm planning to set up a bridge running iptables on an uplink of a lot
of internet user. The uplink is on maximum at about 30 mbit/s. There
are about 1800 * /29 ip nets - some /29 nets needs to be stopped be
the bridge and some can pass. I'm wondering about the performance of
iptables when having 1800*2 rules worst case (PREROUTING rules on src
and dst nets).

Actually I have made some kind of hashing using user defined rules.
This gives a maximum of a packet to travel through about 65 + 32
rules. I have not tested live - before I do this, I would like to know
if anybody here have any experience or idea about performance  with
that kind of traffic load and number of rules?

Best regards,
Martin

My user defined rules:

iptables -t mangle -N 10.0.0.0/24
...
...
iptables -t mangle -N 10.0.x.x/24

iptables -t mangle -I 10.0.0.0/24 1 -m physdev --physdev-in $IF_DOWN
-s  10.0.0.0/29-j ACCEPT
iptables -t mangle -I 10.0.0.0/24 1 -m physdev --physdev-in $IF_UP -d 
10.0.0.0/29 -j ACCEPT
...
...
iptables -t mangle -A 10.0.0.0/24 -j DROP
...
...

iptables -t mangle -I PREROUTING 4 -m physdev --physdev-in $IF_DOWN -s
$CUSTOMER_NET_1 --goto 10.0.0.0/24
iptables -t mangle -I PREROUTING 4 -m physdev --physdev-in $IF_UP -d
$CUSTOMER_NET_1 --goto 10.0.0.0/24
...
...
iptables -t mangle -I PREROUTING 4 -m physdev --physdev-in $IF_DOWN -s
$CUSTOMER_NET_1 --goto 10.0.x.x/24
iptables -t mangle -I PREROUTING 4 -m physdev --physdev-in $IF_UP -d
$CUSTOMER_NET_1 --goto 10.0.x.x/24

Re: IPTables Performance...

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1696 bytes --]

[Cc'ing netfilter list, since that is the right place for this kind of
question]

On Sun, Jul 25, 2004 at 08:56:12PM +0100, Scott Switzer wrote:

> My company serves thousands of small HTTP requests per second (roughly 
> 3000 connections per second with a max of 10k request size - 50Mbps 
> bandwidth), and we have just maxed out our Netscreen 204 (128,000 
> simultanious sessions).  The next level of Netscreen is roughly $50K, 
> and I received advice to use either iptables or pf rather than a 
> proprietary firewall.  Since our requirements regarding the complexity 
> of a firewall (outside of throughput) are reletively small (no complex 
> rule sets), I am willing to look at this option.
> 
> In short:
> Can iptables manage this kind of load?

sure!

> What are the hardware resources that are needed for this?  I have a AMD 
> 2.2Ghz Opteron with 2Gb memory which could be used for this task.  It 
> this sufficient?

I would say it's way more than sufficient ;)  I've been doing firewall
benchmarking at multiple gigabit speeds on dual opteron boxes ;)... with
a single opteron you should be able to do at least 250.000 packets per
second, even without any tuning and a very suboptimal ruleset.

> What kernel would you recommend for this?

2.6.7

> Cheers,
> Scott Switzer

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]