lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <201111161028.43078.hans@schillstrom.com>
Date:	Wed, 16 Nov 2011 10:28:42 +0100
From:	Hans Schillstrom <hans@...illstrom.com>
To:	Pablo Neira Ayuso <pablo@...filter.org>
Cc:	Hans Schillstrom <hans.schillstrom@...csson.com>, kaber@...sh.net,
	jengelh@...ozas.de, netfilter-devel@...r.kernel.org,
	netdev@...r.kernel.org
Subject: Re: [v2 PATCH 1/2] NETFILTER module xt_hmark new target for HASH based fw

Hello Pablo
On Wednesday, November 09, 2011 15:39:22 Pablo Neira Ayuso wrote:
> On Tue, Nov 08, 2011 at 04:12:27PM +0100, Hans Schillstrom wrote:
> > >BTW, do you have some number of this running with and without
> > >conntrack? It would be interesting to have.
> > 
> > I didn't save them,  but I can make a new benchmark later on.
> 
> Thanks, I'm interested in them. It can be just xt_HMARK with and
> without conntrack enabled. Also make sure that you use stateful
> rule-set if conntrack is enabled (thus, resulting in hashing only
> once, not every packet). Otherwise, conntrack will not provide
> any improvement.
> 

I have some problems with the generator..., 
so I did some simple iperf tcp test with KVM:s i.e. standart tcp setup

iptables just one rule 
-A PREROUTING -d 10.0.0.10/32 -j HMARK --hmark-mod 0x2 --hmark-offs 0x64

Some typical values shows ~8% degradation with conntrack loaded


a) Without conntrack loaded

 [  3]  0.0-10.0 sec  83.5 MBytes  70.0 Mbits/sec


b) With conntrack loaded (no iptable rules in use --ctstate or -m conntrack)

[  3]  0.0-10.0 sec  78.0 MBytes  65.4 Mbits/sec

c) With iptables rule in use
iptables -t mangle -A PREROUTING -d 10.0.0.10 -m conntrack --ctstate NEW -j HMARK --mod 2 --offs 100
iptables -t mangle -A PREROUTING -d 10.0.0.10 -m conntrack --ctstate ESTABLISHED,RELATED  -j HMARK --mod 2 --offs 100
iptables -t mangle -A PREROUTING -d 10.0.0.10 -m conntrack --ctstate INVALID -j DROP

[  3]  0.0-10.0 sec  77.4 MBytes  64.9 Mbits/sec


A clean KVM with 3.2.0-rc1 kernel with virt-io 
Module                  Size  Used by    Not tainted
nf_conntrack_ipv4      16731  1 
nf_defrag_ipv4         12436  1 nf_conntrack_ipv4
xt_conntrack           12390  1 
xt_hmark               12390  1 
iptable_mangle         12390  1 
ip_tables              20755  1 iptable_mangle
ipip                   16515  0 
tunnel4                12484  1 ipip


/Hans
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ