On Sun, 24 Feb 2002, David Lang wrote:
> I ran some test with 2.4.14 with the following setups > > 1. firewall toolkit plug-gw proxy (forks for every connection) > > 2. packet forwarding with connection tracking on, no NAT, no -m > > system was 1.2 GHz athlon 512M ram > benchmark consisted of running apache on one machine and ab (apache > benchmark) on another conected through crossover cables. > > throughput was measured two ways > > 1. doing a tail -f of the apache logfile and running it through a script > (cut|sort) that gave a running report of the number of connections each > second. > > 2. the ab throughput reports. > > there were 5 copies of AB running, each set to attempt 200 simultanious > connections. > > the proxy (#1) maxed out at ~170 connections sec with the firewall CPU > maxed out, but lots of memory available and user interactivity slow but > possible on the firewall. > > connection trackig woudl start out very fast (>2000 connections/sec) but > within 10 seconds or so would slow to a crawl, < 100 connections/second > sustained. However this would max out the machine to the point where it > was impossible to run vmstat or anything else to find where the > bottlenecks were. > Hmm.. this sounds more like a kernel bug to me rather than a real performance issue..? > no there have been some fixes of the netfilter code since 2.4.14 that may > have fixed it, but if you plan to use it in an location where it could get > hit by a lot of traffic, make sure you run your own tests. > Yep, I will. > currently I am avoiding conection tracking as I have not taken the time to > run a new set of tests on the new kernels. > In my current setup connection tracking seems to be working fine but this is far from your test-scenario :) - Pasi Kärkkäinen > > How much performance does connection tracking cost compared to basic > > non-connection tracking netfilter-firewall? > > > > Do you see the difference with 10Mbps internet-connection? > > > > When you enable connection tracking (-m state --state foo), does netfilter > > need to track ALL connections? or is connection tracking used just for > > source/dest networks in that specific rule? > > > > > > Thanks for you help. > > > > > > - Pasi Kärkkäinen > > > > > > ^ > > . . > > Linux > > / - \ > > Choice.of.the > > .Next.Generation. > > > > >
