Differences
This shows you the differences between two versions of the page.
linux:iptables:l7patch [2008/03/10 00:25] a Which CPU for heavy traffic with much filtering/shaping |
linux:iptables:l7patch [2009/05/25 00:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Playing with netfiltering-l7 and ipp2p under Debian (Sarge) ====== | ||
- | Problem: Debian + patched kernel as debian package + patched iptables with latest netfilter-l7 and ipp2p patches. | ||
- | |||
- | **need some more restyling** | ||
- | |||
- | ====== Get the source! ====== | ||
- | |||
- | apt-get source iptables (take it from debian-packports 1.3.3x) | ||
- | |||
- | get ipp2p source | ||
- | get netfilter-l7 source | ||
- | |||
- | untar iptables source from upstream and patch it with netfilter-l7-iptables patch. Create a .tgz and put it back at the same location. | ||
- | |||
- | untar patch-o-matic stuff .. put ipp2p stuff there .. | ||
- | |||
- | .. more to come | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | ====== Another way to do it ====== | ||
- | FIXME Need some styling | ||
- | |||
- | I downloaded the source package for '' | ||
- | |||
- | Try loading the module with modprobe ipt_ipp2p. If everything is OK try the following command: | ||
- | |||
- | | ||
- | |||
- | You should see some info about the usage of this module. | ||
- | |||
- | Thanks to //Abel Martín// at debian-firewall mailinglist. | ||
- | |||
- | ==== ipp2p best practices ==== | ||
- | |||
- | I suggest the following tcp and udp for connection tracking (see docu section) | ||
- | |||
- | 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark | ||
- | 02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT | ||
- | 03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1 | ||
- | 04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark | ||
- | 05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1 | ||
- | |||
- | detect **TCP FIRST, SAVE MARK** , and detect udp after you saved the mark !! | ||
- | You will have now every p2p packet marked, but a dramtic reduce of udp | ||
- | mismatches. | ||
- | |||
- | |||
- | ===== Yet another way to do it .. ===== | ||
- | |||
- | 1) Download: | ||
- | * iptables-dev (apt-get) | ||
- | * kernel-headers-2.x.x (your kernel, "uname -r") | ||
- | * src of your iptables (iptables -V and apt-get source) | ||
- | * ipp2p-0.8.0.tar.gz (stable) | ||
- | 2) untar ipp2p and cd ipp2p | ||
- | 3) Edit Makefile, if it's necesary: | ||
- | * IPTABLES_SRC = / | ||
- | * In my case, the headers are detected automaticaly. | ||
- | 4) make (WITHOUT ERRORS!!! ;) ) | ||
- | 5) cp libipt_ipp2p.so / | ||
- | 6) cp ipt_ipp2p.ko / | ||
- | 7) depmod -A | ||
- | 8) insmod ipt_ipp2p.ko (or modprobe) | ||
- | 9) lsmod | grep ipp2p | ||
- | 10) iptables -m ipp2p --help | ||
- | |||
- | | ||
- | make -C / | ||
- | | ||
- | | ||
- | CC [M] / | ||
- | | ||
- | | ||
- | | ||
- | LD [M] / | ||
- | | ||
- | gcc -O3 -Wall -DIPTABLES_VERSION=\" | ||
- | -fPIC -c libipt_ipp2p.c | ||
- | ld -shared -o libipt_ipp2p.so libipt_ipp2p.o | ||
- | |||
- | ==== Which CPU for heavy traffic with much filtering/ | ||
- | < | ||
- | > Subject: Re: [LARTC] Which CPU for heavy traffic with much | ||
- | > filtering/ | ||
- | > Date: Mon, 19 Nov 2007 17:40:34 +0100 | ||
- | > | ||
- | > >Hi | ||
- | > | ||
- | > Hi | ||
- | > | ||
- | > >I have a router with a large number of iptables rules and some | ||
- | > > | ||
- | > | ||
- | > Performance boost tips: | ||
- | > | ||
- | > - Use " | ||
- | > cpu usage. | ||
- | > | ||
- | > - Use hashing filters for shaping if you're using many u32 filters. | ||
- | > | ||
- | > - configure conntrack to use bigger hashsize for better performance; | ||
- | > i'm passing following parameter to kernel in grub to achieve this: | ||
- | > ip_conntrack.hashsize=1048575 | ||
- | > | ||
- | > - configure routecache to use bigger to use more memory for better | ||
- | > performance; | ||
- | > achieve this: rhash_entries=2400000 | ||
- | > | ||
- | > >1. What processors should I be looking for in order to achieve the | ||
- | > >best routing throughput on a linux router? | ||
- | > | ||
- | > I've had good experiences with P4 (with and without HT), Athlon64, Xeon | ||
- | > [dempsey], Xeon [woodcrest]. The last one is the best choice because of | ||
- | > the large cache and architecture. I think you can use Core 2 Duo too | ||
- | > if you want to save some money. | ||
- | > | ||
- | > >2. Is it true that multicore processors will not help much in this | ||
- | > > | ||
- | > | ||
- | > Not true. In your setup with two nics with same load you can easily use | ||
- | > two cores. You can assign each nic to different core by the means of | ||
- | > smp_affinity setting in / | ||
- | </ |