IPTables anomalies?
Abstract
The text describes my experiments, which I conducted to get
insight on the impact that the number of Netfilter rules have
on network performance. The experiments involved downloading
sample file via HTTP and measuring time consumed with varying
number of INPUT chain rules. The results are not so obvious:
one would predict that the relationship would be perfectly
linear - the more rules there are, the more time it consumes
to download the file. The experiment shows that this is not
true. Firstly somewhere around 500 rules there is a minimum
of time consumed, secondly the time consumed variates heavily
in certain ranges, 0-250 rules and 1200-1400 rules in particular.
The experiments
All experiments involved downloading 8 MB random file via
HTTP+Ethernet from BOA HTTP server to a client workstation.
The client software was wget utility. The time was measured
with time utility. All chains' policies were set to ALLOW.
The network of the serwer and client was
192.168.0.0/255.255.255.0. After running first download rounds
with empty chains, there were DROP rules added, which matched
networks 192.168.1.0/24, 192.168.2.0/24 and the like. Therefore
every packet had to be examined against all DROP rules, but
finally hit the INPUT chain policy, which was ALLOW. Three
consecutive experiments were carried out:
- Big range: roughly over the range 0-8000 rules with step of about 250 rules and 10 downloads per sample
- Small range: over the range 0-2000 rules with step of 1 rule and 5 downloads per sample
- Aiming at minimum time consumed: 2 x 500 downloads, once with no rules and once with 500 rules
The results
The first experiment :
The second experiment :
In fact this experiment was run twice - the first time I run it, I thought that my work on the server interferred with the results, because I was working at the time, when the experiment #2 script was running somewhere around 1200-1400 rules in the INPUT chain. Nevertheless the results were similar.
The third experiment yielded following results:
Conclusions: none at the moment. Quick thought / to-do: the experiments could be refined in such a way, that eventual time-based characteristic is removed. It could be that the software bundle used (wget on the client side plus BOA HTTP server on the server side plus OS) develops such effects with respect to execution elapsed time, not to the count of rules. Possilble solution would be to inject random count of rules each time and perform the downloads.
The second experiment :
In fact this experiment was run twice - the first time I run it, I thought that my work on the server interferred with the results, because I was working at the time, when the experiment #2 script was running somewhere around 1200-1400 rules in the INPUT chain. Nevertheless the results were similar.
The third experiment yielded following results:
- 0 rules: 2.9508740 seconds
- 500 rules: 1.3680720 seconds
Conclusions: none at the moment. Quick thought / to-do: the experiments could be refined in such a way, that eventual time-based characteristic is removed. It could be that the software bundle used (wget on the client side plus BOA HTTP server on the server side plus OS) develops such effects with respect to execution elapsed time, not to the count of rules. Possilble solution would be to inject random count of rules each time and perform the downloads.
Software, environment etc.
- Server: x86, Fedora Core 4, kernel 2.6.17-1.2142_FC4, BOA boa-0.94.14-0.1.rc21
- Client: x86, Fedora Core 5, kernel 2.6.15-1.2054_FC5 (default), wget-1.10.2-3.2.1, iptables-1.3.5-1.2
- Network: 100BaseT switched
Downloads
iptables-anomalies.tgz : [~300 KB] scripts, results, graphs ...
| ©2006 Piotr Hosowicz | http://www.hosowicz.com