Build firewall with millions pps support

Build firewall with millions pps support

[Satish Patel]

Planning to build stateless firewall which support 10GE link with
handling 2 million packet per second, need following suggestion from
folks

1. Which OS i should use?  (BSD or Linux?)
2. what type of 10GE NIC i should pick to achieve high Mpps (multiqueue etc.)
3. what should i use for bypass kernel (I heard from googling people
saying use this technique).
4. what kind of server i should pick?

We are build this firewall to stop bad traffic at front door and DDoS
(specially flooding and UDP IP Fragmentation stype)

Re: Build firewall with millions pps support

[Luigi Rizzo]

On Tue, Apr 26, 2016 at 11:20:00PM -0400, Satish Patel wrote:
> Planning to build stateless firewall which support 10GE link with
> handling 2 million packet per second, need following suggestion from
> folks
> 
> 1. Which OS i should use?  (BSD or Linux?)
> 2. what type of 10GE NIC i should pick to achieve high Mpps (multiqueue etc.)
> 3. what should i use for bypass kernel (I heard from googling people
> saying use this technique).
> 4. what kind of server i should pick?
> 
> We are build this firewall to stop bad traffic at front door and DDoS
> (specially flooding and UDP IP Fragmentation stype)


you may want to look at github.com/luigirizzo/netmap-ipfw ,
it is a version of FreeBSD's ipfw+dummynet which runs on top
of netmap.

This works on both Linux and FreeBSD

Re. cards in my experience the Intel cards (the old X520
based on the 85299, and the newer X710 based on the new chipset)
are both decent (I have a slight preference for the older,
which I find more performant)

cheers
luigi

> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: Build firewall with millions pps support

[André Paulsberg-Csibi (IBM Consultant)]

1. "We" us Linux , I do not see anything bad about using BSD either
2. the " Intel Corporation 82598EB 10-Gigabit AF Dual Port Network Connection (rev 01)" ,
   "we" use 2 of these in each FW with LACP bonding giving 2 x 20Gbps
3. For this one I have no 100% answer , but our firewall is running full stateful mode with IPS and uses its own kernel module .
4. I guess that depends more on your logging level ,
   But "we" use Intel(R) Xeon(R) CPU E5645  @ 2.40GHz and RAID 1 setup for storing the local logs .

Our usage may be different then what yours will be ( or planned to be ),
but the FW can handle 1M pps depending on the number of "session" setups .
So if the traffic is mostly DNS ( UDP 53 ) packets it may have lower throughput


MVH André Paulsberg-Csibi


-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Satish Patel
Sent: 27. april 2016 05:20
To: netfilter@vger.kernel.org
Subject: Build firewall with millions pps support

Planning to build stateless firewall which support 10GE link with
handling 2 million packet per second, need following suggestion from
folks

1. Which OS i should use?  (BSD or Linux?)
2. what type of 10GE NIC i should pick to achieve high Mpps (multiqueue etc.)
3. what should i use for bypass kernel (I heard from googling people
saying use this technique).
4. what kind of server i should pick?

We are build this firewall to stop bad traffic at front door and DDoS
(specially flooding and UDP IP Fragmentation stype)
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Build firewall with millions pps support

[Satish Patel]

It looks good I will sure look at it. Just curious why we need dummynet I think it use for traffic shapping right? Just trying to understand how ipfw and dummynet will boost pps? 

--
Sent from my iPhone

> On Apr 27, 2016, at 2:39 AM, Luigi Rizzo <rizzo@iet.unipi.it> wrote:
> 
> ipfw+dummynet

Re: Build firewall with millions pps support

[Luigi Rizzo]

On Wed, Apr 27, 2016 at 08:57:36AM -0400, Satish Patel wrote:
> It looks good I will sure look at it. Just curious why we need dummynet I think it use for traffic shapping right? Just trying to understand how ipfw and dummynet will boost pps? 

You don't need to _use_ dummynet, they just happen to come together.

If you only need to implement a firewall then your ipfw rules
will only contain pass/drop actions.

The performance boost comes from using netmap,  thus bypassing the
native network stack and -- if available -- using optimized network
drivers.

cheers
luigi

Re: Build firewall with millions pps support

[Satish Patel]

How about this Intel NIC
http://www.intel.com/content/dam/doc/product-brief/ethernet-x520-server-adapters-brief.pdf

Does it support Multi Queue?

On Wed, Apr 27, 2016 at 2:13 AM, Luigi Rizzo <rizzo@iet.unipi.it> wrote:
> you may want to look at github.com/luigirizzo/netmap-ipfw ,
> it is a version of FreeBSD's ipfw+dummynet which runs on top
> of netmap.
>
> This works on both Linux and FreeBSD
>
> Re. cards in my experience the Intel cards (the old X520
> based on the 85299, and the newer X710 based on the new chipset)
> are both decent (I have a slight preference for the older,
> which I find more performant)
>
> cheers
> luigi
>
>
> On Wed, Apr 27, 2016 at 5:20 AM, Satish Patel <satish.txt@gmail.com> wrote:
>>
>> Planning to build stateless firewall which support 10GE link with
>> handling 2 million packet per second, need following suggestion from
>> folks
>>
>> 1. Which OS i should use?  (BSD or Linux?)
>> 2. what type of 10GE NIC i should pick to achieve high Mpps (multiqueue
>> etc.)
>> 3. what should i use for bypass kernel (I heard from googling people
>> saying use this technique).
>> 4. what kind of server i should pick?
>>
>> We are build this firewall to stop bad traffic at front door and DDoS
>> (specially flooding and UDP IP Fragmentation stype)
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
>
>
> --
> -----------------------------------------+-------------------------------
>  Prof. Luigi RIZZO, rizzo@iet.unipi.it  . Dip. di Ing. dell'Informazione
>  http://www.iet.unipi.it/~luigi/        . Universita` di Pisa
>  TEL      +39-050-2217533               . via Diotisalvi 2
>  Mobile   +39-338-6809875               . 56122 PISA (Italy)
> -----------------------------------------+-------------------------------

Re: Build firewall with millions pps support

[Luigi Rizzo]

On Wed, Apr 27, 2016 at 11:02:05AM -0400, Satish Patel wrote:
> How about this Intel NIC
> http://www.intel.com/content/dam/doc/product-brief/ethernet-x520-server-adapters-brief.pdf
> 
> Does it support Multi Queue?

yes, and that's the X520 i mentioned (there are many models based on
the same chipset, i don't know the exact models).

cheers
luigi

> On Wed, Apr 27, 2016 at 2:13 AM, Luigi Rizzo <rizzo@iet.unipi.it> wrote:
> > you may want to look at github.com/luigirizzo/netmap-ipfw ,
> > it is a version of FreeBSD's ipfw+dummynet which runs on top
> > of netmap.
> >
> > This works on both Linux and FreeBSD
> >
> > Re. cards in my experience the Intel cards (the old X520
> > based on the 85299, and the newer X710 based on the new chipset)
> > are both decent (I have a slight preference for the older,
> > which I find more performant)
> >
> > cheers
> > luigi
> >
> >
> > On Wed, Apr 27, 2016 at 5:20 AM, Satish Patel <satish.txt@gmail.com> wrote:
> >>
> >> Planning to build stateless firewall which support 10GE link with
> >> handling 2 million packet per second, need following suggestion from
> >> folks
> >>
> >> 1. Which OS i should use?  (BSD or Linux?)
> >> 2. what type of 10GE NIC i should pick to achieve high Mpps (multiqueue
> >> etc.)
> >> 3. what should i use for bypass kernel (I heard from googling people
> >> saying use this technique).
> >> 4. what kind of server i should pick?
> >>
> >> We are build this firewall to stop bad traffic at front door and DDoS
> >> (specially flooding and UDP IP Fragmentation stype)
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> >
> >
> >
> > --
> > -----------------------------------------+-------------------------------
> >  Prof. Luigi RIZZO, rizzo@iet.unipi.it  . Dip. di Ing. dell'Informazione
> >  http://www.iet.unipi.it/~luigi/        . Universita` di Pisa
> >  TEL      +39-050-2217533               . via Diotisalvi 2
> >  Mobile   +39-338-6809875               . 56122 PISA (Italy)
> > -----------------------------------------+-------------------------------

Re: Build firewall with millions pps support

[Satish Patel]

already did lots of and more you google more you get confused.. They
are many many kind of NIC out there and everyone is slide differ from
other thats why thought lets ask experts so i can save time and money
to because i don't want to buy something buy mistake which look fancy
by description. Anyway thanks for advice :)

On Wed, Apr 27, 2016 at 11:08 AM, Payam Chychi <pchychi@gmail.com> wrote:
>
>
> On Apr 27, 2016, 8:03 AM -0700, Satish Patel <satish.txt@gmail.com>, wrote:
>
> How about this Intel NIC
> http://www.intel.com/content/dam/doc/product-brief/ethernet-x520-server-adapters-brief.pdf
>
> Does it support Multi Queue?
>
> On Wed, Apr 27, 2016 at 2:13 AM, Luigi Rizzo <rizzo@iet.unipi.it> wrote:
>
> you may want to look at github.com/luigirizzo/netmap-ipfw ,
> it is a version of FreeBSD's ipfw+dummynet which runs on top
> of netmap.
>
> This works on both Linux and FreeBSD
>
> Re. cards in my experience the Intel cards (the old X520
> based on the 85299, and the newer X710 based on the new chipset)
> are both decent (I have a slight preference for the older,
> which I find more performant)
>
> cheers
> luigi
>
>
> On Wed, Apr 27, 2016 at 5:20 AM, Satish Patel <satish.txt@gmail.com> wrote:
>
>
> Planning to build stateless firewall which support 10GE link with
> handling 2 million packet per second, need following suggestion from
> folks
>
> 1. Which OS i should use? (BSD or Linux?)
> 2. what type of 10GE NIC i should pick to achieve high Mpps (multiqueue
> etc.)
> 3. what should i use for bypass kernel (I heard from googling people
> saying use this technique).
> 4. what kind of server i should pick?
>
> We are build this firewall to stop bad traffic at front door and DDoS
> (specially flooding and UDP IP Fragmentation stype)
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
>
>
>
> --
> -----------------------------------------+-------------------------------
> Prof. Luigi RIZZO, rizzo@iet.unipi.it . Dip. di Ing. dell'Informazione
> http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
> TEL +39-050-2217533 . via Diotisalvi 2
> Mobile +39-338-6809875 . 56122 PISA (Italy)
> -----------------------------------------+-------------------------------
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
>
>
> Mate, how about you use the power of google and do some actual research
> insted of asking for people to hold your hand without any prior work done by
> yourself?
>
>