Re: MARK vs CLASSIFY with tc

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Adrian Turcu,


On Wed, 6 Apr 2005 16:28:30 +0100, Adrian Turcu <adrian.turcu@xxxxxxxxxxxxxxxxxx> wrote:

> Hello list,
> 
> I just wonder if someone did any performance tests (speed of processing the 
> packets) or maybe could advise about this two scenario:
> 
> 1. packets are marked with iptables and processed by tc using filters
> 2. packets are sent by iptables directly to tc using CLASSIFY chain, thus 
> avoiding the tc filters
> 
> I had some thinking about these two ways of dealing with egress traffic and my 
> logic says that the second should be faster to process the packets, but I 
> might be wrong (I guess that being an iproute list there will be a lot of 
> people in favour of the first - going even further by skipping iptables all 
> together and using detailed filtering with tc).
> 

It depends. You must consider the ruleset size and ruleset pattern.

For a large ruleset. It is not good to let every packet goes through the
rule and gets matched on some class. Think about 200 rules as an example.

It is better to have some kind of memory on a flow. If first packet of a
flow is classified as class C1, then it good to remember it and every
following packet of this flow is classified as class C1.

iptables/netfilter has CONNMARK support, which can be used to remember
an u32 number, and then set packet's mark from this CONNMARK.

You can use such scheme

# if the flag is set, then restore connmark to mark
iptables -m connmark --mark value/mask -j CONNMARK --restore-mark --mask
   mask
# else, do the various match
iptables <match rule 1> -j CONNMARK --set-mark value/mask
iptables <match rule 1> -j RETURN
iptables <match rule 2> -j CONNMARK --set-mark value/mask
iptables <match rule 2> -j RETURN

Using this method, first packet is matched in O(N), but following
packets are matched in O(1).

So it is good to use iptables CONNMARK + MARK and tc fw filter.

But, if the ruleset is small, the difference should be small. You then
should choose the better one for you:

1. netfilter is more flexible;
2. tc filter is expected to be a little faster (I am not sure);


> This came up not just for fun nor that I saw some noticeable differences (not 
> with the volume of traffic I'm having at the moment). I want to regulate the 
> traffic from a multimedia server (RTSP) and everybody knows that audio/video 
> traffic is very sensitive to variable latency and jitter with terrible 
> end-user experience.
> 
> BTW I'm using HTB with SFQ, kernel 2.6.11.6, iproute2 ss050318 and iptables 
> 1.3.1. I used PFIFO before SFQ, but it seems that it takes quite a lot for 
> the per stream bandwidth to be re-adjusted in case a new session opens and 
> I'm already at the limit with the allocated slice from the total available 
> pipe.
> 
> Thanks for taking your time thinking about this,
> Adrian
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



-- 
  lark

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux