Differences

This shows you the differences between two versions of the page.

--- linux:iptables:l7patch [2006/11/03 18:03]
a another way
+++ linux:iptables:l7patch [2008/03/10 00:25]
a Which CPU for heavy traffic with much filtering/shaping
@@ Line 17: / Line 17: @@
 .. more to come
@@ Line 23: / Line 25: @@
 FIXME Need some styling
-I downloaded the source package for ''iptables v1.3.5'' and copied the source in  '/usr/src/iptables-1.3.5.0debian1''. Install the iptables-dev package (although I think it's not necessary if you install the iptables source package). You'll need the kernel-headers package too. I sent you my ''**Makefile**.'' With this setup you just need to do make in the directory where the sources are. If you succeed, you will find a dynamic library ''libipt_ipp2p.so'', which you'll have to copy to ''/lib/iptables/'' and a kernel module called ''ipt_ipp2p.ko'' (supposing you have a 2.6.x kernel in your system). Copy ''ipt_ipp2p.ko'' in ''/lib/modules/<your_kernel_version>/kernel/net/ipv4/netfilter/ipt_ipp2p.ko'' and type ''depmod -a''.
+I downloaded the source package for ''iptables v1.3.5'' and copied the source in  '/usr/src/iptables-1.3.5.0debian1''. Install the iptables-dev package (although I think it's not necessary if you install the iptables source package). You'll need the kernel-headers package too. I sent you my ''**Makefile**.'' With this setup you just need to do make in the directory where the sources are. If you succeed, you will find a dynamic library ''libipt_ipp2p.so'', which you'll have to copy to ''/lib/iptables/'' and a kernel module called ''ipt_ipp2p.ko'' (supposing you have a 2.6.x kernel in your system). Copy ''ipt_ipp2p.ko'' in '/lib/modules/<your_kernel_version>/kernel/net/ipv4/netfilter/ipt_ipp2p.ko'' and type ''depmod -a''.
 Try loading the module with modprobe ipt_ipp2p. If everything is OK try the following command:
@@ Line 32: / Line 34: @@
 Thanks to //Abel Martín// at debian-firewall mailinglist.
+==== ipp2p best practices ====
+I suggest the following tcp and udp for connection tracking (see docu section)
+# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
+# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
+# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
+# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark
+# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1
+detect **TCP FIRST, SAVE MARK** , and detect udp after you saved the mark !!
+You will have now every p2p packet marked, but a dramtic reduce of udp
+mismatches.
+===== Yet another way to do it .. =====
+) Download:
+   * iptables-dev (apt-get)
+   * kernel-headers-2.x.x (your kernel, "uname -r")
+   * src of your iptables (iptables -V and apt-get source)
+   * ipp2p-0.8.0.tar.gz (stable)
+) untar ipp2p and cd ipp2p
+) Edit Makefile, if it's necesary:
+   * IPTABLES_SRC = /usr/src/iptables
+   * In my case, the headers are detected automaticaly.
+) make (WITHOUT ERRORS!!! ;) )
+) cp libipt_ipp2p.so /lib/iptables
+) cp ipt_ipp2p.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
+) depmod -A
+) insmod ipt_ipp2p.ko (or modprobe)
+) lsmod | grep ipp2p
+) iptables -m ipp2p --help
+   root@servidor:/usr/src/ipp2p-0.8.0# make
+   make -C /lib/modules/2.6.15-28-386/build SUBDIRS=/usr/src/ipp2p-0.8.0
+   modules
+   make[1]: se ingresa al directorio `/usr/src/linux-headers-2.6.15-28-386'
+     CC [M]  /usr/src/ipp2p-0.8.0/ipt_ipp2p.o
+     Building modules, stage 2.
+     MODPOST
+     CC      /usr/src/ipp2p-0.8.0/ipt_ipp2p.mod.o
+     LD [M]  /usr/src/ipp2p-0.8.0/ipt_ipp2p.ko
+     make[1]: se sale del directorio `/usr/src/linux-headers-2.6.15-28-386'
+    gcc -O3 -Wall -DIPTABLES_VERSION=\"\" -I/usr/src/iptables-1.3.3/include
+   -fPIC -c  libipt_ipp2p.c
+   ld -shared -o libipt_ipp2p.so libipt_ipp2p.o
+==== Which CPU for heavy traffic with much filtering/shaping ====
+<code>
+> Subject: Re: [LARTC] Which CPU for heavy traffic with much
+> filtering/shaping?
+> Date: Mon, 19 Nov 2007 17:40:34 +0100
+>
+> >Hi
+>
+> Hi
+>
+> >I have a router with a large number of iptables rules and some
+> >extensive traffic shaping (HTB + RED + ... ) + conntrack.
+>
+> Performance boost tips:
+>
+> - Use "set" module instead of sequential iptables rules. It can lower
+> cpu usage.
+>
+> - Use hashing filters for shaping if you're using many u32 filters.
+>
+> - configure conntrack to use bigger hashsize for better performance;
+> i'm passing following parameter to kernel in grub to achieve this:
+> ip_conntrack.hashsize=1048575
+>
+> - configure routecache to use bigger to use more memory for better
+> performance; i'm passing following parameter to kernel in grub to
+> achieve this: rhash_entries=2400000
+>
+> >1. What processors should I be looking for in order to achieve the
+> >best routing throughput on a linux router?
+>
+> I've had good experiences with P4 (with and without HT), Athlon64, Xeon
+> [dempsey], Xeon [woodcrest]. The last one is the best choice because of
+> the large cache and architecture. I think you can use Core 2 Duo too
+> if you want to save some money.
+>
+> >2. Is it true that multicore processors will not help much in this
+> >situation?
+>
+> Not true. In your setup with two nics with same load you can easily use
+> two cores. You can assign each nic to different core by the means of
+> smp_affinity setting in /proc/irq/... or by using irqbalance daemon.
+</code>