[tech] madako and ipsets

Adrian Chadd adrian at ucc.gu.uwa.edu.au
Sun May 6 20:22:15 WST 2007


I'm doing some uh, 'throughput testing' from an UCC-hosted machine
to a WAIX connected host and I'm not able to push above 30mbit/sec.
It turns out madako's FREENETSIN and FREENETSOUT rulesets are..
well, linearly evaluated, and this puts a clamp on the throughput.
I max out madako's CPU at ~30mbit/sec with a single stream
from 203.56.168.1 with whever it was in the freenets list.

I placed a specific rule for my /24 at the top of FREENETSIN
and FREENETSOUT and madako can now pass 50mbit/sec without
using up all the CPU.

There's two things to do:

* do proper connection marking, so we can pass established flows
  without having to re-evaluate every rule again, and
* use something like ip sets in iptables to store the set of
  freenets ips, not linearly evaluated firewall rulesets.

I'd like to recompile the kernel to include ipset support so
I can see what benefit it has. I'll probably do that in a couple
of weeks when I've got my spare time.

Do people mind?



Adrian


More information about the tech mailing list