[tech] madako and ipsets
Adrian Chadd
adrian at ucc.gu.uwa.edu.au
Sun May 6 20:22:15 WST 2007
I'm doing some uh, 'throughput testing' from an UCC-hosted machine
to a WAIX connected host and I'm not able to push above 30mbit/sec.
It turns out madako's FREENETSIN and FREENETSOUT rulesets are..
well, linearly evaluated, and this puts a clamp on the throughput.
I max out madako's CPU at ~30mbit/sec with a single stream
from 203.56.168.1 with whever it was in the freenets list.
I placed a specific rule for my /24 at the top of FREENETSIN
and FREENETSOUT and madako can now pass 50mbit/sec without
using up all the CPU.
There's two things to do:
* do proper connection marking, so we can pass established flows
without having to re-evaluate every rule again, and
* use something like ip sets in iptables to store the set of
freenets ips, not linearly evaluated firewall rulesets.
I'd like to recompile the kernel to include ipset support so
I can see what benefit it has. I'll probably do that in a couple
of weeks when I've got my spare time.
Do people mind?
Adrian
More information about the tech
mailing list