On 10.11.2014 19:04, Dave Taht wrote: > Several notes on this thread: > > 1) Inefficient firewall rules are a common, and it is often possible > to seriously optimize them. Find a place to post them so others can > take a look. > > But a huge problem on devices with offloads is that the first iptables > rule you insert costs quite a lot if it causes offloads to be > disabled. The rules are reasonably efficient. Its the standard EdgeOS zone configuration where traffic is routed into a chain based on the output interface and from there into a chain based on the incoming interface. There the first rule is to accept all related and established traffic followed by the "real" rules that allow specific traffic based on addresses, ports and ipsets. There are some standard Vyatta hook chains involved that are empty but if these decimate the packet throughput this much then no optimization can bring the processing to acceptable levels. > 2) fq_codel is very efficient and rarely shows up as a significant > fraction of cpu - other overheads (like firewall rules and HTB) > dominate. If you are trying to push more than 60Mbit through HTB + any > qdisc on the edgerouter lite we hit problems. > > 3) We (meaning cerowrt and openwrt and many others) worked very hard > on making 3.10.12 and later the best possible kernel for routers we > could make, and I do hope that the latest 1.6 edgerouter release > proves stabler and faster than the last. But see points 1 and 2. I've been thinking about using 3.16 on the new box since 3.15 apparently brought some scalability improvements for connection tracking and 3.16 is going to be supported by Ubuntu at least into 2016 makeing it effectively a long-term supported kernel. > 4) At this point in time I am intensely frustrated with all the > hardware offloading based products. In every case they work just fine > in benchmarks, but often fall appallingly short of their rated specs > when some more real-world configuration is used. And furthermore, the > chipmakers with their "secret sauce" in their firmware are generally > unwilling to open that up so that it could be improved to match the > requirements of the real world. That has been my experience as well and it is indeed extremely frustrating. Since the trouble with the EdgeRouter Pro was causing serious issues I replaced it with a regular System we had lying around with 8 cores and multiqueue capable network interfaces. I performed some basic optimizations like irq affinity and XPS assignment and imported the ipsets and iptables rules from the EdgeRouter without any changes. At peak times the cpu utilization shows each core 98-99% idle. Regards, Dennis -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
