Re: bug report and future request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



HI all

One more after switch to all rule and use only nft (remove qdisc from kernel config, and remove all iptables tables) in perf top see nft_do_chain is up to 3-4% on all core and if isolate with perf top -C X i see on one core is up to 10-15% :

  31.26%  [pppoe]                  [k] pppoe_rcv
     3.19%  [nf_tables]              [k] nft_do_chain
     2.46%  [kernel]                 [k] __netif_receive_skb_core.constprop.0
     2.18%  [kernel]                 [k] fib_table_lookup
     2.07%  [i40e]                   [k] i40e_clean_rx_irq
     1.51%  [kernel]                 [k] __dev_queue_xmit
     1.23%  [kernel]                 [k] dev_queue_xmit_nit
     1.23%  [nf_conntrack]           [k] __nf_conntrack_find_get.isra.0
     1.20%  [kernel]                 [k] __copy_skb_header
     1.19%  [kernel]                 [k] kmem_cache_free
     1.17%  [kernel]                 [k] skb_release_data
     1.06%  [nf_tables]              [k] nft_rhash_lookup 


Is have options to optimize work of nft rule set.

and for second question is it posible to make work this limiter in flow table rule set : 

#table inet filter {
#        flowtable fastnat {
#                hook ingress priority 0; devices = { eth0, eth1 };
#        }
#
#        chain forward {
#                type filter hook forward priority 0; policy accept;
#                ip protocol { tcp , udp } flow offload @fastnat;
#        }
#}

Like this and if have options to make devices list dynamic to add device automatic or to add device with * 
If limiter work in flow table will make offload traffic and reduce cpu load

Martin

> On 23 Mar 2022, at 0:55, Martin Zaharinov <micron10@xxxxxxxxx> wrote:
> 
> Hi Florian
> 
> yes now work perfect
> i will test with 1-4k ips to see performance vs qdisc or iptables.
> 
> for second offload question:
> 
> is it possible to make limiter work in offload mode and ia it posible to add dynamic interface like ppp* or vlan* or other type.
> 
> 
> 
> P.S.
> 
> thanks for fast reply for first part!
> 
> P.S.2 
> 
> resend mail to netfilter group
> 
> Martin
> 
>> On 22 Mar 2022, at 12:32, Florian Westphal <fw@xxxxxxxxx> wrote:
>> 
>> Martin Zaharinov <micron10@xxxxxxxxx> wrote:
>>> Hi Florian
>>> 
>>> Look good this config but not work after set user not limit by speed.
>> 
>> Works for me.  Before:
>> [ ID] Interval           Transfer     Bitrate         Retr
>> [  5]   0.00-10.00  sec  5.09 GBytes  4.37 Gbits/sec    0 sender
>> [  5]   0.00-10.00  sec  5.08 GBytes  4.36 Gbits/sec receiver
>> 
>> After:
>> [  5]   0.00-10.00  sec  62.9 MBytes  52.7 Mbits/sec    0 sender
>> [  5]   0.00-10.00  sec  59.8 MBytes  50.1 Mbits/sec receiver
>> 
>>> table inet nft-qos-static {
>>>       set limit_ul {
>>>               typeof ip saddr
>>>               flags dynamic
>>>               elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>>>       }
>>> 		set limit_dl {
>>>               typeof ip saddr
>>>               flags dynamic
>>>               elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>>>      }
>>> 
>>>       chain upload {
>>> 			type filter hook postrouting priority filter; policy accept;
>>> 			ip saddr @limit_ul drop
>>>       }
>>> 		chain download {
>>> 			type filter hook prerouting priority filter; policy accept;
>>> 			ip saddr @limit_dl drop
>>> 		}
>> 
>> daddr?
>> 
>>> With this config user with ip 10.0.0.1 not limited to 5 mbytes , 
>> 
>>> When back to this config :
>>> 
>>> table inet nft-qos-static {
>>> 	chain upload {
>>> 		type filter hook postrouting priority filter; policy accept;
>>> 		ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>>> 	}
>>> 
>>> 	chain download {
>>> 		type filter hook prerouting priority filter; policy accept;
>>> 		ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>> 	           ~~~~~
> 





[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux