iptables algorithm

Americo Melara amelara@calpoly.edu
Sat, 16 Mar 2002 15:35:29 -0800 

On Thu, Mar 14, 2002 at 02:32:51PM -0800, Americo Melara wrote:
>> Hi,  I'm working on my thesis and need some help.  I am doing performance
>> measurements to understand how much overhead does iptables create in the
>> stack when processing a single packt by varying the number and type of
rules,
>> and payload size of each packet.

>Could you please describe the exact details on how you measure the
performance?

>What are the rulesets, which plugins/extensions are loaded, do you use
>a modular or statically compiled kernel, is it a SMP box, do you use
connection
>tracking, ....

>Otherwise it's just guessing in the dark.

Yeap! here it is!  Sorry, but I can't make it any shorter.
I am using a dual Pentium II 400MHz but I have turned the SMP option OFF in
the kernel configuration (I hope that the second one is not working).  I'm
using a modular 2.4.7 kernel with, but before I do the tests I load the
modules, these are the modules that I use:
 ipt_mac,  ipt_REJECT, iptable_mangle, ipt_limit, iptable_filter,
ip_conntrack

The rule sets.
I do independent tests for each type of match, for example, (test1) drop 10
IP addresses, (test 2) drop 40 IP addresses.  I do not do any connection
tracking at all.  The tests are performed as followed:
PHASE 1
INPUT policy: ACCEPT
Protocol:  TCP - send one packet every 4 seconds (send 40 of them)
Payload size:
 64 bytes  (I do the same tests for payloads of 1400 bytes to compare
results)

Test A.1 --- Drop 10 IP addresses  (e.g.   iptables -A INPUT -s X.X.X.X -j
DROP)
Test A.2 --- Drop 40 IP addresses
Test B.1 --- Drop 10 MAC addresses  (e.g. iptables -A INPUT -m
mac -mac-source XX:XX:XX:XX:XX:XX -j DROP)
Test B.2 --- Drop 40 MAC addresses
Test C.1 --- Drop 10 TCP ports (e.g. iptables -A INPUT -proto tcp -dport
X -j DROP)
Test C.2 --- Drop 40 TCP ports

Repeat the process for
Protocol: UDP
INPUT policy DROP
Same number of rules but instead of dropping IP/MAC/TCP I accept them

Where do I take the timestamps to track the packet throughout the stack?
here:
1. netif_rx    @ (net/core/dev.c)
2. ip_local_deliver @ (net/ipv4/ip_input.c) before it calls NF_HOOK
3. ip_local_deliver_finish @ (net/ipv4/ip_input.c)  at the beginning of the
function
4. tcp_rcv_established @ (net/ipv4/tcp_input.c) at the end of the function
5. sock_recvmsg @ (net/socket.c) before it exits the function
How do I take timestamps?  Specifically using rdtscl( ) but there is a lot
of code in between to grab other information about the packet (e.g
'skb->stamp' used as an ID to match the time with the time as it travels
throughout the layers)

-- Personal question, would the community be interested in seeing these
results?

Americo Melara