lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 19 Sep 2017 07:01:53 -0700
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     Marco Berizzi <pupilla@...ero.it>
Cc:     netdev@...r.kernel.org
Subject: Re: software interrupts close to 100 with 9000 tc filter entries

On Tue, 2017-09-19 at 15:28 +0200, Marco Berizzi wrote:
> Hi Folks,
> 
> I'm running linux 4.12.10 x86_64 on a Slackware 14.2 64bit
> as a simple 4 NIC router. Network throughput processed by
> this machine is less than 200Mbit/s
> The cpu model is Intel(R) Xeon(R) CPU 5160  @ 3.00GHz with
> 2GB ram.
> 
> I need to blacklist about 9000 single ip addresses.
> This is the relevant script to blacklist these ip addresses:
> 
> tc qdisc add dev eth0 ingress
> tc qdisc add dev eth1 ingress
> 
> while read -r line
> do
>     tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src $line action drop
>     tc filter add dev eth1 parent ffff: protocol ip prio 50 u32 match ip src $line action drop
> done < blacklisted_ip_addresses
> 
> After loading these ip addresses, the si (software interrupts)
> number shown by top is always close to 100
> If I delete the ingress qdisc on both the device, the si
> fall down to less than 5
> 
> Running the same script with 'only' 700 ip addresses is
> flawless.
> 
> Kindly I would like to ask if am I doing anything in
> a wrong way or if the hardware is too old for this kind
> of setup.
> 
> I have selected the tc filter setup instead of netfilter
> one, because I was reading this from iproute2/doc/actions:
> 
> A side effect is that we can now get stateless firewalling to work with tc..
> Essentially this is now an alternative to iptables.
> I wont go into details of my dislike for iptables at times, but.
> scalability is one of the main issues; however, if you need stateful
> classification - use netfilter (for now).
> 
> Any response are welcome
> TIA


Processing a list of 700 rules per incoming packet is not wise.

Alternatives :

- netfilter with IPSET : This probably can be done with one lookup in a
table. Probably easiest way to setup.

- BPF filter  (XDP or TC )

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ