On Mon, Jun 21, 2010 at 7:02 PM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > Hi, > > On Mon, 21 Jun 2010, krunal patel wrote: > >> I found a difference in performance of ipset 4.2 with with >> linux-2.6.18.8 and linux-2.6.27.45. >> With 1.5 Gbps of traffic and with 3 ipset rules added in forward >> path, I got response time of 6 msecs in both kernels. >> If i increase number of ipset rules, response time increases badly >> in case of 2.6.27.45 kernel, where it is same (6 msecs) in 2.6.18.8 >> kernel. > > I'm sorry but I simply don't get what you want to measure: > I am measuring packet latency when ipset is used in packet path with 2.6.27.45 kernel at arond 3 to 3.5 Gbps of traffic. I am doing this as a part of kernel switch from 2.6.18.8 to 2.6.27.45. >> I am testing my machine with Spirent (load generator). Only HTTP >> protocol load is passed through machine. >> following are the steps. >> >> iptables -F PREROUTING -t raw >> iptables -F PREROUTING -t mangle >> iptables -F PREROUTING -t nat >> iptables -F FORWARD -t mangle >> iptables -F FORWARD -t filter >> iptables -F POSTROUTING -t mangle >> iptables -F POSTROUTING -t nat >> >> ipset -N testip iphash --hashsize 1 >> ipset -A testip 1.2.3.4 (=> This can be any IP. Here it is not >> used for any purpose other then performance testing) > > So I assume the source IP address of the packets won't match the > testip set. > Yes, rules are just to add more ipset chains. >> iptables -A FORWARD -m set ! --set testip src >> iptables -A FORWARD -m set ! --set testip src >> iptables -A FORWARD -m set --set testip src > > You do not measure ipset definitely. Because there is no target in the > rules, all of them are evaluated one after another, regardless of the > previous ones: netfilter just increases the packet/byte counters of the > matching rules, but continues by processing the next rule(s). > No, we are measuring only ipset. What we are suspecting is, as number of ipset matches increases in packet path latency is increasing. >> Up to here everything is fine in linux-2.6.18.8 and >> linux-2.6.27.45. - HTTP response time is 6ms. >> >> After that I added 2 3 more chains. >> >> iptables -A FORWARD -m set ! --set testip src >> iptables -A FORWARD -m set ! --set testip src >> iptables -A FORWARD -m set ! --set testip src >> >> Now HTTP response time for linux-2.6.18.8 is constant to 6msecs >> whereas it increases to 1000ms in linux-2.6.27.45 and even increases >> more if I keep on adding same rule. > > You mean, by adding three more non-matching rules the response time > increased from 6msecs to 1000msecs?? > Hmm, that is correct. Infact, 1000 msecs is just by adding 1 more rule. 3 rules took it to around 3000 to 4000 msecs. Note that with 2.6.18.8, latency is not getting increased by adding more ipset rules. (to be precise it is around 6 msesc) > Best regards, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > Regards, Krunal. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
