* about the performance of netfilter
@ 2002-07-24 13:24 zhengchuanbo
2002-07-25 7:27 ` Rusty Russell
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: zhengchuanbo @ 2002-07-24 13:24 UTC (permalink / raw)
To: linux-kernel
we use a linux router. i just tested the performance of the router. when the kernel is build without netfilter support,the throughput of 64bytes frame is about 45%. when i build the kernel with netfilter (only the ip_filter module),the throughput dropped to 24%, without any rules.
so is there some way to improve the performance? i just want some simple packet filter. is netfilter no so good on the performance compare to ipchains due to the improved functionality?
please cc. thanks.
regards,
zheng chuanbo
zhengcb@netpower.com.cn
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: about the performance of netfilter
2002-07-24 13:24 about the performance of netfilter zhengchuanbo
@ 2002-07-25 7:27 ` Rusty Russell
2002-07-25 7:28 ` Harald Welte
2002-07-30 16:29 ` Bill Davidsen
2 siblings, 0 replies; 4+ messages in thread
From: Rusty Russell @ 2002-07-25 7:27 UTC (permalink / raw)
To: zhengchuanbo; +Cc: linux-kernel
On Wed, 24 Jul 2002 21:24:56 +0800
zhengchuanbo <zhengcb@netpower.com.cn> wrote:
>
> we use a linux router. i just tested the performance of the router. when the kernel is build without netfilter support,the throughput of 64bytes frame is about 45%. when i build the kernel with netfilter (only the ip_filter module),the throughput dropped to 24%, without any rules.
> so is there some way to improve the performance? i just want some simple packet filter. is netfilter no so good on the performance compare to ipchains due to the improved functionality?
> please cc. thanks.
There are several stages.
1) CONFIG_NETFILTER=n
2) CONFIG_NETFILTER=y
3) CONFIG_NETFILTER=y CONFIG_IP_NF_TABLES=m, ip_tables.o loaded
4) iptables rules inserted.
Make sure you do not have CONFIG_NETFILTER_DEBUG or CONFIG_IP_NF_CONNTRACK
on!
Rusty.
--
there are those who do and those who hang on and you don't see too
many doers quoting their contemporaries. -- Larry McVoy
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: about the performance of netfilter
2002-07-24 13:24 about the performance of netfilter zhengchuanbo
2002-07-25 7:27 ` Rusty Russell
@ 2002-07-25 7:28 ` Harald Welte
2002-07-30 16:29 ` Bill Davidsen
2 siblings, 0 replies; 4+ messages in thread
From: Harald Welte @ 2002-07-25 7:28 UTC (permalink / raw)
To: zhengchuanbo; +Cc: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1131 bytes --]
On Wed, Jul 24, 2002 at 09:24:56PM +0800, zhengchuanbo wrote:
>
> we use a linux router. i just tested the performance of the router. when the
> kernel is build without netfilter support,the throughput of 64bytes frame is
> about 45%. when i build the kernel with netfilter (only the ip_filter
> module),the throughput dropped to 24%, without any rules.
I assume you are talking about the iptable_filter module?
The loss from 45 to 25 percent sounds reasonable. You add computational
overhead to the codepath for every packet.
That initially you only achieve 45% (of what input packet rate?) indicates that
your system is in severe need of tuning.
Please look through the mailinglist archives to find out about NAPI and
related work.
> zhengcb@netpower.com.cn
--
Live long and prosper
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: about the performance of netfilter
2002-07-24 13:24 about the performance of netfilter zhengchuanbo
2002-07-25 7:27 ` Rusty Russell
2002-07-25 7:28 ` Harald Welte
@ 2002-07-30 16:29 ` Bill Davidsen
2 siblings, 0 replies; 4+ messages in thread
From: Bill Davidsen @ 2002-07-30 16:29 UTC (permalink / raw)
To: zhengchuanbo; +Cc: linux-kernel
On Wed, 24 Jul 2002, zhengchuanbo wrote:
>
> we use a linux router. i just tested the performance of the router. when
> the kernel is build without netfilter support,the throughput of 64bytes
> frame is about 45%. when i build the kernel with netfilter (only the
> ip_filter module),the throughput dropped to 24%, without any rules. so
> is there some way to improve the performance? i just want some simple
> packet filter. is netfilter no so good on the performance compare to
> ipchains due to the improved functionality? please cc. thanks.
I'm not sure what you mean by 24%, since you don't say of what. I'm not
sure what you expect, an old Pentium 133 gives me 6-8Mbit on 10Mbit cards,
with a fair number of rules installed. If you are trying to load up Gbit
with a 386-16 or something, it won't work well, but for typical small
office setups Linux routing seems to run about as fast as directly
connected machines on the same subnet, although there is latency going
through the router.
--
bill davidsen <davidsen@tmr.com>
CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-07-30 16:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-07-24 13:24 about the performance of netfilter zhengchuanbo
2002-07-25 7:27 ` Rusty Russell
2002-07-25 7:28 ` Harald Welte
2002-07-30 16:29 ` Bill Davidsen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).