Re: SMP or Single CPU?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Juan Pablo Abuyeres wrote:

On Tue, 2006-05-02 at 08:43 -0700, Auke Kok wrote:

These tasks certainly take advantage of smp architecture. In any case
you should consider what type of nics you are putting in the machines and what the bandwidth is that you need. A ordinary desktop machine nowadays with a single cpu can perfectly handle 4 100mbit NICs. 

afaik iptables is smp-aware meaning that packets coming in and out
will be handled by whatever cpu is available, and the same goes for routing. Make sure you run an irqbalance daemon to spread the rx interrupt load across the cpu's if applicable. 

ok.. I've been doing some tests, and now it time for questions :)

I have a setup like this:
my PC <-> switch <-> Test Router <-> Victim.

Test router has a e100(eth6) card for my side, and a e1000(eth3) for the
victim's.
Test router only has default local routes for this test. e1000 is
compiled with NAPI. Linux kernel is 2.6.16.12.

I am throwing a juno DoS from my PC to the victim, with no firewall
rules, and things look pretty good:
my NIC: 110kpps
Test Router e100(eth6): 110kpps
Test Router e1000(eth3): 110kpps
Victim's NIC: 110kpps

Test Router's CPU states:
Cpu0:0.0% us,0.0% sy,  0.0% ni, 61.3% id,  0.0% wa,  7.3% hi, 31.3% si
Cpu1:0.0% us,0.0% sy,  0.0% ni, 100.0% id,  0.0% wa,  0.0% hi,  0.0% si
Cpu2:0.0% us,0.0% sy,  0.0% ni, 82.7% id,  0.0% wa,  2.0% hi, 15.3% si
Cpu3:0.0% us,0.0% sy,  0.0% ni, 100.0% id,  0.0% wa,  0.0% hi,  0.0% si

Cpu0 is handling e100(eth6), Cpu2 is handling e1000(eth3)

----------------
Ok, now, I add on the Test Router 770 firewall rules of the type:
iptables -A FORWARD -i eth6 -s $a.$b.$c.$d -j DROP
Things look like this now:
my NIC: 110kpps
Test Router e100(eth6): 68kpps
Test Router e1000(eth3): 68kpps
Victim's NIC: 68kpps

Test Router's CPU states:
Cpu0:0.0% us,0.3% sy,  0.0% ni,  0.0% id,  0.0% wa,  0.3% hi, 99.3% si
Cpu1:0.0% us,0.0% sy,  0.0% ni, 100.0% id,  0.0% wa,  0.0% hi,  0.0% si
Cpu2:0.0% us,0.0% sy,  0.0% ni, 88.3% id,  0.0% wa,  2.0% hi,  9.7% si
Cpu3:0.0% us,0.3% sy,  0.0% ni, 99.7% id,  0.0% wa,  0.0% hi,  0.0% si

So.. adding firewall rules makes Cpu0 to get real busy.
Turning rp_filter on/off apparently makes no difference on the pps
numbers. I thought it would, but from my test it didn't.

The question is: is there a way to make iptables use the idled
processors instead of the same processor that's taking care of eth6's
IRQs?
AFAIK not: as soon as the packet comes in it is directed to a single CPU which *has* to queue it for userspace and do all the filtering. It would not make sense to switch context for every packet only to find out that you have to switch another context to process the packet and give it to the socket.
Of course this is ugly, and this is why people are working on things like netchannels ... 

Auke
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux