Differences

This shows you the differences between two versions of the page.

--- system:benches10gbps:firewall [2012/10/17 17:17]
ze
+++ system:benches10gbps:firewall [2012/11/02 15:41] (current)
ze ipset
@@ Line 353: / Line 353: @@
 Will have to seek for other solutions.
+===== ipset =====
+Some people mentionned ipset. Lets bench that.
+<code>
+# lets create some sets we might use
+ipset create ip hash:ip
+ipset create net hash:net
+ipset create ip,port hash:ip,port
+ipset create net,port hash:net,port
+</code>
+Rules used for different tests :
+<code>
+-A FORWARD -m set --match-set ip src
+-A FORWARD -m set --match-set net src
+-A FORWARD -m set --match-set net,port src,src
+-A FORWARD -m set --match-set ip,port src,dst
+</code>
+Lets see how a few match for hash:ip affects our traffic :
+^  # rules  ^  conn/s  ^  pkt/s  ^
+|  1 |  570k |  3.6M |
+|  2 |  340k |  2.05M |
+|  3 |  240k |  1.45M |
+|  4 |  184k |  1.1M |
+Ok, so just a few ipset match affects us ALOT. What about other hashes ?
+(tests done with 2 matches)
+^  ipset  ^  conn/s  ^  pkt/s  ^
+| hash:ip |  340k |  2.05M |
+| hash:net |  350k |  2.1M |
+| hash:ip,port |  330k |  2M |
+| hash:net,port |  330k |  2M |
+Net or ip doesn't change much, and including the port is only a light overhead,
+considering the overhead we already have.
+What about ipset bitmasks ?
+<code>
+ipset create bip0 bitmap:ip range 10.136.0.0-10.136.255.255
+ipset create bip1 bitmap:ip range 10.140.0.0-10.140.255.255
+</code>
+^  # rules  ^  conn/s  ^  pkt/s  ^
+|  2 |  550k |  3.5M |
+|  4 |  320k |  1.9M |
+Considering ipset is limited to 65k entries, and the results, I would advise
+against using it, unless you really need the easy to manage set.
 ===== interface irq affinity =====

ze's sandcastle

User Tools

Site Tools

Differences

Page Tools