Juan Pablo Abuyeres wrote:
Hi guys,
I've been using an old single processor / linux 2.4 iptables based
firewall for a few years.
Now it's time to upgrade that machine, so, I am wondering, would it be
of real benefit if I put a two-processor system for a firewall? This
machine is going to have 4 NICs, it's going to make routing (lots of
routes), and firewall (iptables). I don't know if these kind of tasks
take advantage from a multiple-processor architecture. Please enlighten
me :)
These tasks certainly take advantage of smp architecture. In any case you
should consider what type of nics you are putting in the machines and what the
bandwidth is that you need. A ordinary desktop machine nowadays with a single
cpu can perfectly handle 4 100mbit NICs.
afaik iptables is smp-aware meaning that packets coming in and out will be
handled by whatever cpu is available, and the same goes for routing. Make sure
you run an irqbalance daemon to spread the rx interrupt load across the cpu's
if applicable.
This field is highly volatile at the moment, there are lots of people trying
to improve it at the moment.
Auke
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
