LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Alan Kennington <akenning@topology.org>
To : LinuxSA <linuxsa@linuxsa.org.au>
Date: Sat, 23 Jun 2001 20:34:51 +0930
Re: The Impact of Ipchains and/or Ipfilter on Performance
On Sat, Jun 23, 2001 at 07:00:03PM +0930, David Lloyd wrote:
>
> Does anyone know of any definitive papers or sites on the impact of
> using ipchains or iptables on performance? I remember one person on an
> IRC channel (noone on LinuxSA that I can recall) commenting that adding
> an ipchains rule would slow one's whole system down where slow, of
> course, is a very relative term...
>
David,
I asked this question during a tutorial by Rusty last year
(or was it the year before?), and he assured us that even
with heaps of rules, 100 Mbit/sec throughput is not problem at all.
Personally, I doubt that, although I haven't tried it.
Take the example of 100 Mbit/sec continuous throughput of
ping packets - not very realistic, I admit.
But this is the worst case (for a single interface),
and if you can cope with this,
you can cope with anything.
In this case, you have about 200,000 packets/second.
This gives you on a 400 MHz machine about 2000 cycles
per packet.
If you look at the basic IP code, you'll see that it contains
a big heap of processing per packet already.
If you allow about 10-20 cycles per rule, and a packet has
to go through 10 rules on average, that's about 10% of your CPU
cycles gone in rule processing alone. I'd estimate a
further 10% to 20% for basic IP layer processing etc.
Hmmm. Well this looks like the worst case
should be feasible just.
But my experience with 155 Mbit/sec ATM has indicated
that the IP layer overhead + device driver overhead together
cause the maximum continuous throughput to be about 30%
on a 400 MHz CPU with 1000 Byte packets.
That seems to indicate that given the huge overheads in
just the basic packet I/O processing, the estra overhead
of ipchains/iptables rules might not be even noticeable.
Someone should do an experiment!
Cheers,
Alan Kennington.
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page