Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
linux:iptables:l7patch [2007/04/01 12:15] a |
linux:iptables:l7patch [2008/03/10 00:25] a Which CPU for heavy traffic with much filtering/shaping |
||
|---|---|---|---|
| Line 17: | Line 17: | ||
| .. more to come | .. more to come | ||
| + | |||
| Line 33: | Line 34: | ||
| Thanks to //Abel Martín// at debian-firewall mailinglist. | Thanks to //Abel Martín// at debian-firewall mailinglist. | ||
| + | |||
| + | ==== ipp2p best practices ==== | ||
| + | |||
| + | I suggest the following tcp and udp for connection tracking (see docu section) | ||
| + | |||
| + | 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark | ||
| + | 02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT | ||
| + | 03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1 | ||
| + | 04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark | ||
| + | 05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1 | ||
| + | |||
| + | detect **TCP FIRST, SAVE MARK** , and detect udp after you saved the mark !! | ||
| + | You will have now every p2p packet marked, but a dramtic reduce of udp | ||
| + | mismatches. | ||
| + | |||
| ===== Yet another way to do it .. ===== | ===== Yet another way to do it .. ===== | ||
| Line 66: | Line 82: | ||
| -fPIC -c libipt_ipp2p.c | -fPIC -c libipt_ipp2p.c | ||
| ld -shared -o libipt_ipp2p.so libipt_ipp2p.o | ld -shared -o libipt_ipp2p.so libipt_ipp2p.o | ||
| + | |||
| + | ==== Which CPU for heavy traffic with much filtering/ | ||
| + | < | ||
| + | > Subject: Re: [LARTC] Which CPU for heavy traffic with much | ||
| + | > filtering/ | ||
| + | > Date: Mon, 19 Nov 2007 17:40:34 +0100 | ||
| + | > | ||
| + | > >Hi | ||
| + | > | ||
| + | > Hi | ||
| + | > | ||
| + | > >I have a router with a large number of iptables rules and some | ||
| + | > > | ||
| + | > | ||
| + | > Performance boost tips: | ||
| + | > | ||
| + | > - Use " | ||
| + | > cpu usage. | ||
| + | > | ||
| + | > - Use hashing filters for shaping if you're using many u32 filters. | ||
| + | > | ||
| + | > - configure conntrack to use bigger hashsize for better performance; | ||
| + | > i'm passing following parameter to kernel in grub to achieve this: | ||
| + | > ip_conntrack.hashsize=1048575 | ||
| + | > | ||
| + | > - configure routecache to use bigger to use more memory for better | ||
| + | > performance; | ||
| + | > achieve this: rhash_entries=2400000 | ||
| + | > | ||
| + | > >1. What processors should I be looking for in order to achieve the | ||
| + | > >best routing throughput on a linux router? | ||
| + | > | ||
| + | > I've had good experiences with P4 (with and without HT), Athlon64, Xeon | ||
| + | > [dempsey], Xeon [woodcrest]. The last one is the best choice because of | ||
| + | > the large cache and architecture. I think you can use Core 2 Duo too | ||
| + | > if you want to save some money. | ||
| + | > | ||
| + | > >2. Is it true that multicore processors will not help much in this | ||
| + | > > | ||
| + | > | ||
| + | > Not true. In your setup with two nics with same load you can easily use | ||
| + | > two cores. You can assign each nic to different core by the means of | ||
| + | > smp_affinity setting in / | ||
| + | </ | ||
