On Tue, 2006-05-02 at 08:43 -0700, Auke Kok wrote: > These tasks certainly take advantage of smp architecture. In any case > you > should consider what type of nics you are putting in the machines and > what the > bandwidth is that you need. A ordinary desktop machine nowadays with a > single > cpu can perfectly handle 4 100mbit NICs. > > afaik iptables is smp-aware meaning that packets coming in and out > will be > handled by whatever cpu is available, and the same goes for routing. > Make sure > you run an irqbalance daemon to spread the rx interrupt load across > the cpu's > if applicable. ok.. I've been doing some tests, and now it time for questions :) I have a setup like this: my PC <-> switch <-> Test Router <-> Victim. Test router has a e100(eth6) card for my side, and a e1000(eth3) for the victim's. Test router only has default local routes for this test. e1000 is compiled with NAPI. Linux kernel is 2.6.16.12. I am throwing a juno DoS from my PC to the victim, with no firewall rules, and things look pretty good: my NIC: 110kpps Test Router e100(eth6): 110kpps Test Router e1000(eth3): 110kpps Victim's NIC: 110kpps Test Router's CPU states: Cpu0:0.0% us,0.0% sy, 0.0% ni, 61.3% id, 0.0% wa, 7.3% hi, 31.3% si Cpu1:0.0% us,0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si Cpu2:0.0% us,0.0% sy, 0.0% ni, 82.7% id, 0.0% wa, 2.0% hi, 15.3% si Cpu3:0.0% us,0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si Cpu0 is handling e100(eth6), Cpu2 is handling e1000(eth3) ---------------- Ok, now, I add on the Test Router 770 firewall rules of the type: iptables -A FORWARD -i eth6 -s $a.$b.$c.$d -j DROP Things look like this now: my NIC: 110kpps Test Router e100(eth6): 68kpps Test Router e1000(eth3): 68kpps Victim's NIC: 68kpps Test Router's CPU states: Cpu0:0.0% us,0.3% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.3% hi, 99.3% si Cpu1:0.0% us,0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si Cpu2:0.0% us,0.0% sy, 0.0% ni, 88.3% id, 0.0% wa, 2.0% hi, 9.7% si Cpu3:0.0% us,0.3% sy, 0.0% ni, 99.7% id, 0.0% wa, 0.0% hi, 0.0% si So.. adding firewall rules makes Cpu0 to get real busy. Turning rp_filter on/off apparently makes no difference on the pps numbers. I thought it would, but from my test it didn't. The question is: is there a way to make iptables use the idled processors instead of the same processor that's taking care of eth6's IRQs? Thank you. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
