On Thu, Mar 14, 2002 at 02:32:51PM -0800, Americo Melara wrote: >> Hi, I'm working on my thesis and need some help. I am doing performance >> measurements to understand how much overhead does iptables create in the >> stack when processing a single packt by varying the number and type of rules, >> and payload size of each packet.
>Could you please describe the exact details on how you measure the performance? >What are the rulesets, which plugins/extensions are loaded, do you use >a modular or statically compiled kernel, is it a SMP box, do you use connection >tracking, .... >Otherwise it's just guessing in the dark. Yeap! here it is! Sorry, but I can't make it any shorter. I am using a dual Pentium II 400MHz but I have turned the SMP option OFF in the kernel configuration (I hope that the second one is not working). I'm using a modular 2.4.7 kernel with, but before I do the tests I load the modules, these are the modules that I use: ipt_mac, ipt_REJECT, iptable_mangle, ipt_limit, iptable_filter, ip_conntrack The rule sets. I do independent tests for each type of match, for example, (test1) drop 10 IP addresses, (test 2) drop 40 IP addresses. I do not do any connection tracking at all. The tests are performed as followed: PHASE 1 INPUT policy: ACCEPT Protocol: TCP - send one packet every 4 seconds (send 40 of them) Payload size: 64 bytes (I do the same tests for payloads of 1400 bytes to compare results) Test A.1 --- Drop 10 IP addresses (e.g. iptables -A INPUT -s X.X.X.X -j DROP) Test A.2 --- Drop 40 IP addresses Test B.1 --- Drop 10 MAC addresses (e.g. iptables -A INPUT -m mac -mac-source XX:XX:XX:XX:XX:XX -j DROP) Test B.2 --- Drop 40 MAC addresses Test C.1 --- Drop 10 TCP ports (e.g. iptables -A INPUT -proto tcp -dport X -j DROP) Test C.2 --- Drop 40 TCP ports Repeat the process for Protocol: UDP INPUT policy DROP Same number of rules but instead of dropping IP/MAC/TCP I accept them Where do I take the timestamps to track the packet throughout the stack? here: 1. netif_rx @ (net/core/dev.c) 2. ip_local_deliver @ (net/ipv4/ip_input.c) before it calls NF_HOOK 3. ip_local_deliver_finish @ (net/ipv4/ip_input.c) at the beginning of the function 4. tcp_rcv_established @ (net/ipv4/tcp_input.c) at the end of the function 5. sock_recvmsg @ (net/socket.c) before it exits the function How do I take timestamps? Specifically using rdtscl( ) but there is a lot of code in between to grab other information about the packet (e.g 'skb->stamp' used as an ID to match the time with the time as it travels throughout the layers) -- Personal question, would the community be interested in seeing these results? Americo Melara
