Greetings. In the HPC world, and in network intrusion detection, network performance is paramount. We've found that just having the iptables kernel module loaded without any ruleset substantially reduces performance at high traffic rates. Some preliminary performance measurements: The total traffic (reported by the iperfs) was: ~18 Gbps with IPTables enabled - no ruleset ~24 Gbps with IPTables disabled Disabling IPTables (and unloading the associated kernel modules) seemed to significantly improve performance, but running with IPTables disabled in production is undesirable. Typically, we have interfaces that are external facing that we would like to run IPtables on, but the internal interfaces which are just for internal cluster communications must run as fast as possible. A similar issue occurs during high-speed network intrusion detection - we want the management interface to be subject to iptables, but we don't want the performance hit of netfilter impeding traffic at the interfaces monitoring the network. So, what would be desirable to see is a sysctl setting that would tell netfilter to *completely* stay out of the way on a per-interface basis. Many supercomputers run linux, and it would be nice to also run iptables, but the performance hit is unacceptable. Thanks in advance, Jim Mellander NERSC Cybersecurty -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
