On 28/04/17 23:13, Simon Hobson wrote: > Daniel Pocock <[email protected]> wrote: > >> I'm noticing latency doubles when things go through the firewall. In >> particular, I have recently set up a couple of virtual desktops and I'm >> trying to access them with the SPICE protocol. It is supposed to be >> more efficient than VNC or RDP but I'm finding there is always latency >> in the UI. >> >> I tried some ping tests (from my home, using a gigabit fibre connection) >> and observed: >> >> ping the physical server = 0.8ms >> ping the virtual firewall = 1.4ms >> ping the virtual server = 1.8ms > > What happens if you clear the firewall (shorewall clear) ? > Bear in mind that when you introduce the firewall, you are (I assume) sending > the packets through an extra switch, virtual NIC, virtual machine, virtual > NIC. So even without any firewall processing you will add latency. > Looking at the times you give above, adding the virtual switch and NIC to get > to the firewall VM adds .6ms, the extra virtual NIC, virtual switch, virtual > NIC to get to the server adds an additional 0.4ms. Not much in it. >
I tried "shorewall clear && shorewall6 clear" while running ping and didn't see much difference in the ping times so it may not be firewalling at all. If I understand the conntrack documentation[1] correctly, each TCP packet is still processed by conntrack even if there are no firewall rules using NAT. The only way to stop conntrack looking at packets is to unload the modules for conntrack. Could conntrack be adding that much latency though? Beyond Shorewall, can anybody suggest any general strategies to reduce latency in a Linux router/firewall setup or any good links on this topic? > For something really latency sensitive, you might be better just running a > firewall on the server. > That would be preferable, but in this case space for physical servers is limited. Regards, Daniel 1. http://people.netfilter.org/pablo/docs/login.pdf ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
