On Sat, Mar 16, 2002 at 03:35:29PM -0800, Americo Melara wrote: > Yeap! here it is! Sorry, but I can't make it any shorter.
No problem, the more details, the better. > I am using a dual Pentium II 400MHz but I have turned the SMP option OFF in > the kernel configuration (I hope that the second one is not working). I'm > using a modular 2.4.7 kernel with, but before I do the tests I load the > modules, these are the modules that I use: > ipt_mac, ipt_REJECT, iptable_mangle, ipt_limit, iptable_filter, > ip_conntrack > > The rule sets. > I do independent tests for each type of match, for example, (test1) drop 10 > IP addresses, (test 2) drop 40 IP addresses. I do not do any connection > tracking at all. But above you are stating that you are using the ip_conntrack module? > The tests are performed as followed: > PHASE 1 > INPUT policy: ACCEPT > Protocol: TCP - send one packet every 4 seconds (send 40 of them) > Payload size: > 64 bytes (I do the same tests for payloads of 1400 bytes to compare > results) > > Test A.1 --- Drop 10 IP addresses (e.g. iptables -A INPUT -s X.X.X.X -j > DROP) > Test A.2 --- Drop 40 IP addresses > Test B.1 --- Drop 10 MAC addresses (e.g. iptables -A INPUT -m > mac -mac-source XX:XX:XX:XX:XX:XX -j DROP) > Test B.2 --- Drop 40 MAC addresses > Test C.1 --- Drop 10 TCP ports (e.g. iptables -A INPUT -proto tcp -dport > X -j DROP) > Test C.2 --- Drop 40 TCP ports > > Repeat the process for > Protocol: UDP > INPUT policy DROP > Same number of rules but instead of dropping IP/MAC/TCP I accept them > > Where do I take the timestamps to track the packet throughout the stack? > here: > 1. netif_rx @ (net/core/dev.c) > 2. ip_local_deliver @ (net/ipv4/ip_input.c) before it calls NF_HOOK > 3. ip_local_deliver_finish @ (net/ipv4/ip_input.c) at the beginning of the > function > 4. tcp_rcv_established @ (net/ipv4/tcp_input.c) at the end of the function > 5. sock_recvmsg @ (net/socket.c) before it exits the function > How do I take timestamps? Specifically using rdtscl( ) but there is a lot > of code in between to grab other information about the packet (e.g > 'skb->stamp' used as an ID to match the time with the time as it travels > throughout the layers) so you are benchmarking filtering of local packets? That isn't too interesting, sorry. Most people are interested in the traditional firewall case, where packets get forwarded. > -- Personal question, would the community be interested in seeing these > results? Definitely. > Americo Melara -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
