HI all
One more after switch to all rule and use only nft (remove qdisc from kernel config, and remove all iptables tables) in perf top see nft_do_chain is up to 3-4% on all core and if isolate with perf top -C X i see on one core is up to 10-15% :
31.26% [pppoe] [k] pppoe_rcv
3.19% [nf_tables] [k] nft_do_chain
2.46% [kernel] [k] __netif_receive_skb_core.constprop.0
2.18% [kernel] [k] fib_table_lookup
2.07% [i40e] [k] i40e_clean_rx_irq
1.51% [kernel] [k] __dev_queue_xmit
1.23% [kernel] [k] dev_queue_xmit_nit
1.23% [nf_conntrack] [k] __nf_conntrack_find_get.isra.0
1.20% [kernel] [k] __copy_skb_header
1.19% [kernel] [k] kmem_cache_free
1.17% [kernel] [k] skb_release_data
1.06% [nf_tables] [k] nft_rhash_lookup
Is have options to optimize work of nft rule set.
and for second question is it posible to make work this limiter in flow table rule set :
#table inet filter {
# flowtable fastnat {
# hook ingress priority 0; devices = { eth0, eth1 };
# }
#
# chain forward {
# type filter hook forward priority 0; policy accept;
# ip protocol { tcp , udp } flow offload @fastnat;
# }
#}
Like this and if have options to make devices list dynamic to add device automatic or to add device with *
If limiter work in flow table will make offload traffic and reduce cpu load
Martin
> On 23 Mar 2022, at 0:55, Martin Zaharinov <micron10@xxxxxxxxx> wrote:
>
> Hi Florian
>
> yes now work perfect
> i will test with 1-4k ips to see performance vs qdisc or iptables.
>
> for second offload question:
>
> is it possible to make limiter work in offload mode and ia it posible to add dynamic interface like ppp* or vlan* or other type.
>
>
>
> P.S.
>
> thanks for fast reply for first part!
>
> P.S.2
>
> resend mail to netfilter group
>
> Martin
>
>> On 22 Mar 2022, at 12:32, Florian Westphal <fw@xxxxxxxxx> wrote:
>>
>> Martin Zaharinov <micron10@xxxxxxxxx> wrote:
>>> Hi Florian
>>>
>>> Look good this config but not work after set user not limit by speed.
>>
>> Works for me. Before:
>> [ ID] Interval Transfer Bitrate Retr
>> [ 5] 0.00-10.00 sec 5.09 GBytes 4.37 Gbits/sec 0 sender
>> [ 5] 0.00-10.00 sec 5.08 GBytes 4.36 Gbits/sec receiver
>>
>> After:
>> [ 5] 0.00-10.00 sec 62.9 MBytes 52.7 Mbits/sec 0 sender
>> [ 5] 0.00-10.00 sec 59.8 MBytes 50.1 Mbits/sec receiver
>>
>>> table inet nft-qos-static {
>>> set limit_ul {
>>> typeof ip saddr
>>> flags dynamic
>>> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>>> }
>>> set limit_dl {
>>> typeof ip saddr
>>> flags dynamic
>>> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>>> }
>>>
>>> chain upload {
>>> type filter hook postrouting priority filter; policy accept;
>>> ip saddr @limit_ul drop
>>> }
>>> chain download {
>>> type filter hook prerouting priority filter; policy accept;
>>> ip saddr @limit_dl drop
>>> }
>>
>> daddr?
>>
>>> With this config user with ip 10.0.0.1 not limited to 5 mbytes ,
>>
>>> When back to this config :
>>>
>>> table inet nft-qos-static {
>>> chain upload {
>>> type filter hook postrouting priority filter; policy accept;
>>> ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>>> }
>>>
>>> chain download {
>>> type filter hook prerouting priority filter; policy accept;
>>> ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>> ~~~~~
>
