Simon Hobson <[email protected]> wrote: > But there is an important thing to remember about software firewalling like > this. If you go out and spend loads of dosh on a firewall device from the > likes of Cisco, part of what that money buys you is a hardware packet > processing engine. > The first packet in any conversation will (may ?*) still go through the > supervisor processor, but once it's evaluated all the rules, it will cache it > in the hardware filter engine - thereafter, the packets are processed in > hardware, probably with "cut through**" and be handled very fast. > Using a software firewall on a Linux box, every packet must traverse the IP > stack. So each packet must be received fully into a buffer, then the next > level up can decide where that packet needs to be passed, at various points > filters will be applied, it ends up in another buffer, and finally gets sent > out of an interface. No matter how fast you make the processing, there is a > fundamental limit that the packet isn't processed until it's all been > received, and it can't start transmitting on the outbound interface until > it's finished processing.
Just had another think about this ... Where the server, firewall, and virtual switches are all on one virtual host, there is another factor in favour of the software setup. The packets aren't serialised and sent down a bit of wire - transmitting a packet means copying a buffer of bytes in memory. So after the initial reception of the packet from the outside network, there's no further serialisation as the virtual switches and virtual NICs are all "just buffers in memory". But against the standard setup, AIUI all the host packet handling is done by one thread running in Dom0. So that could ba dding latency as this single thread will be handling packets going into your firewall "device", the packets coming out and going into another (virtual) switch, and the packets coming out the other side of that switch and going into your "server" virtual machine. I believe there are ways around this, but it's not something I've looked into. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
