Difference between revisions of "netfilter notes"

From thelinuxwiki
Jump to: navigation, search
(Created page with "==performance== ===multi-core=== taken from [https://stackoverflow.com/questions/7467688/netfilter-hooks-on-multi-core-system Netfilter hooks on multi-core system] The proble...")
 

Latest revision as of 12:28, 26 September 2018

performance

multi-core

taken from Netfilter hooks on multi-core system

The problem is not from netfilter, is the way your kernel is managing interrupts.

By default old versions of APIC delivers all interrupts to the CPU0.

You can check if this is your problem with:

cat /proc/interrupts

You can see if the interrupts of the NIC (and remember that the netfilter hook are executed over a RX or TX SoftIRQ) are handled by a single Core.

In newer versions of the kernel, there is a compile option (CONFIG_HOTPLUG_CPU), wich balances the IRQ's over the existing cores.

Or if you cannot update the version or recompile the kernel, you can update the SMP affinity (with a mask that handles more that a CPUid) to try to balance between different Cores. Or go into ACPI and proper configuration (Here I cannot help more).

Here you can find all about this stuff (SMP affininty and proper IRQ handling)

contracks and kernel 3.15

Full scalability for Netfilter conntracks

My scalability fixes for Netfilter connection tracking have reached Linus'es tree and will appear in kernel release v3.15.

Netfilter’s conntrack have had a bad reputation for being slow. While this was true in the "early-days", it have been offering excellent scalability for established conntracks for a long time now. Matching against existing conntrack entries is very fast and completely scalable. (The conntrack system actually does lockless RCU (Read-Copy Update) lookups for existing connections).

The conntrack system have had a scalability problem when it comes to creating (or deleting) connections, for a long time now (single central spinlock). This scalability issue is now fixed.

This work relates to my recent efforts of using conntrack for DDoS protection, as e.g. SYN-floods would hit this "new" connection scalability problem with Netfilter conntracks.

Finally version 3 of the patchset were accepted March 7th 2014 (note Eric Dumazet worked on the first attempts back in May 9th 2013). The most important commit is 93bb0ceb75 "netfilter: conntrack: remove central spinlock nf_conntrack_lock")