lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1302121136.2701.16.camel@edumazet-laptop>
Date:	Wed, 06 Apr 2011 22:18:56 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	David Miller <davem@...emloft.net>
Cc:	acme@...stprotocols.net, jesse.brandeburg@...il.com,
	fedora-kernel-list@...hat.com, netdev@...r.kernel.org,
	jesse.brandeburg@...el.com
Subject: Re: fedora 14 kernel performance with ip forwarding workload

Le mercredi 06 avril 2011 à 13:02 -0700, David Miller a écrit :
> From: Arnaldo Carvalho de Melo <acme@...stprotocols.net>
> Date: Wed, 6 Apr 2011 16:57:19 -0300
> 
> > Something like ftrace code changing when the user inserts the first
> > rule?
> > 
> > People wanting top performance disable it in the build, but thos wanting
> > to stick to vendor provided kernels don't have that choice :)
> 
> Using ftrace-like stubs would be an interesting idea, and I highly encourage
> people to work on something like that.
> 
> However I want to reiterate that I think that real rules are installed
> in Jesse's case, and once he removes those the majority of the
> overhead will disappear.  The FC14 workstation I'm using right now, on
> which I've made no modifications to the installer's netfilter settings,
> has the following rules:
> 
> --------------------
> [root@...olle davem]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
> ACCEPT     icmp --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere            
> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
> ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp 
> ACCEPT     udp  --  anywhere             224.0.0.251         state NEW udp dpt:mdns 
> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ipp 
> ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp 
> REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> [root@...olle davem]# 
> --------------------
> 
> I suspect Jesse has something similar on his test box.
> 

I suspect problem is worse than that.

I remember last time I work on a fedora kernel, it had conntrack enabled

And yes, conntrack can really slowdown a router, because of default
parameters.

cat /proc/sys/net/nf_conntrack_max



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ