I ran some test with 2.4.14 with the following setups 1. firewall toolkit plug-gw proxy (forks for every connection)
2. packet forwarding with connection tracking on, no NAT, no -m system was 1.2 GHz athlon 512M ram benchmark consisted of running apache on one machine and ab (apache benchmark) on another conected through crossover cables. throughput was measured two ways 1. doing a tail -f of the apache logfile and running it through a script (cut|sort) that gave a running report of the number of connections each second. 2. the ab throughput reports. there were 5 copies of AB running, each set to attempt 200 simultanious connections. the proxy (#1) maxed out at ~170 connections sec with the firewall CPU maxed out, but lots of memory available and user interactivity slow but possible on the firewall. connection trackig woudl start out very fast (>2000 connections/sec) but within 10 seconds or so would slow to a crawl, < 100 connections/second sustained. However this would max out the machine to the point where it was impossible to run vmstat or anything else to find where the bottlenecks were. no there have been some fixes of the netfilter code since 2.4.14 that may have fixed it, but if you plan to use it in an location where it could get hit by a lot of traffic, make sure you run your own tests. currently I am avoiding conection tracking as I have not taken the time to run a new set of tests on the new kernels. David Lang On Sun, 24 Feb 2002, Pasi Kärkkäinen wrote: > Date: Sun, 24 Feb 2002 14:44:31 +0200 (EET) > From: Pasi Kärkkäinen <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Performance / connection tracking > > > (Please CC to me, I'm not on the list) > > Hello! > > How much performance does connection tracking cost compared to basic > non-connection tracking netfilter-firewall? > > Do you see the difference with 10Mbps internet-connection? > > When you enable connection tracking (-m state --state foo), does netfilter > need to track ALL connections? or is connection tracking used just for > source/dest networks in that specific rule? > > > Thanks for you help. > > > - Pasi Kärkkäinen > > > ^ > . . > Linux > / - \ > Choice.of.the > .Next.Generation. > >
