Re: DoS/DDoS protection for end nodes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 22/04/2024 17:12, William N. wrote:
> Thanks for the feedback, Quentin!
> It's great to have you here.
> 
> As discussed in another thread recently, I wonder what your testing
> procedures are to compare the performance of one ruleset with that of
> another for the purpose of hopefully optimizing whatever is possible.

I've used pktgen [0], which is a kernel module able to generate fake traffic
at very high speed. You can define the packet size and rate. Using two
servers, I've been able to estimate the processing rate of iptables,
nftables, and bpfilter's BPF programs by using the rules packet counters.

I'm not 100% sure checking the rules counters is the best approach, but it's
convenient and reliable.

[0]: https://docs.kernel.org/networking/pktgen.html




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux