* How to measure/profile ruleset performance?
@ 2024-04-19 16:02 William N.
2024-04-19 16:06 ` Serhii
0 siblings, 1 reply; 5+ messages in thread
From: William N. @ 2024-04-19 16:02 UTC (permalink / raw)
To: netfilter
Hi,
How can I measure the performance of particular nftables
rules/chains/tables with idea to optimize the bottlenecks?
Currently, I am trying to do this by commenting/uncommenting sections
of the ruleset and running iperf3. However, this seems quite
inaccurate, inconsistent and time-consuming.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to measure/profile ruleset performance?
2024-04-19 16:02 How to measure/profile ruleset performance? William N.
@ 2024-04-19 16:06 ` Serhii
2024-04-19 16:28 ` William N.
0 siblings, 1 reply; 5+ messages in thread
From: Serhii @ 2024-04-19 16:06 UTC (permalink / raw)
To: netfilter
iperf3 checks only link throughput. To evaluate firewall performance you would need to generate high packet rate.
On 4/19/24 16:02, William N. wrote:
> Hi,
>
> How can I measure the performance of particular nftables
> rules/chains/tables with idea to optimize the bottlenecks?
>
> Currently, I am trying to do this by commenting/uncommenting sections
> of the ruleset and running iperf3. However, this seems quite
> inaccurate, inconsistent and time-consuming.
>
--
Send unsolicited bulk mail to carle34@at.encryp.ch
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to measure/profile ruleset performance?
2024-04-19 16:06 ` Serhii
@ 2024-04-19 16:28 ` William N.
2024-04-19 16:30 ` Serhii
0 siblings, 1 reply; 5+ messages in thread
From: William N. @ 2024-04-19 16:28 UTC (permalink / raw)
To: netfilter
On Fri, 19 Apr 2024 16:06:14 +0000 Serhii wrote:
> To evaluate firewall performance you would need to generate high
> packet rate.
How to do that?
And how will I know how individual rules perform?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to measure/profile ruleset performance?
2024-04-19 16:28 ` William N.
@ 2024-04-19 16:30 ` Serhii
2024-04-19 17:29 ` William N.
0 siblings, 1 reply; 5+ messages in thread
From: Serhii @ 2024-04-19 16:30 UTC (permalink / raw)
To: netfilter
I am not aware of any software-appliances or solutions to perform per-rule firewall performance evaluation, however there are a few hardware traffic generators that are able to squeze packets on a line rate speed. As for software frameworks, you might be interested in DPDK.
On 4/19/24 16:28, William N. wrote:
> On Fri, 19 Apr 2024 16:06:14 +0000 Serhii wrote:
>
>> To evaluate firewall performance you would need to generate high
>> packet rate.
>
> How to do that?
> And how will I know how individual rules perform?
>
--
Send unsolicited bulk mail to carle34@at.encryp.ch
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to measure/profile ruleset performance?
2024-04-19 16:30 ` Serhii
@ 2024-04-19 17:29 ` William N.
0 siblings, 0 replies; 5+ messages in thread
From: William N. @ 2024-04-19 17:29 UTC (permalink / raw)
To: netfilter
What do you mean by:
On Fri, 19 Apr 2024 16:30:45 +0000 Serhii wrote:
> to squeze packets on a line rate speed.
> to generate high packet rate.
Is that possible with Linux software tools?
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-04-19 17:29 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-19 16:02 How to measure/profile ruleset performance? William N.
2024-04-19 16:06 ` Serhii
2024-04-19 16:28 ` William N.
2024-04-19 16:30 ` Serhii
2024-04-19 17:29 ` William N.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).