TCP/UDP checksum in hardware
demiourgos at gmail.com
Thu Mar 8 11:15:11 CET 2007
On 3/5/07, Patrick McHardy <kaber at trash.net> wrote:
> Alexander Sirotkin wrote:
> > On 3/4/07, Patrick McHardy <kaber at trash.net> wrote:
> >> Alexander Sirotkin wrote:
> >> > The reason I'm asking is that computing checksum (in case of NAT, for
> >> > instance) becomes a real problem on embedded devices
> >> Do you have any data to show this?
> > I don't know how relevant this is for netfilter, but yes - if the
> > device does not support checksum offloading my benchmark which I ran
> > on 266Mhz MIPS 24K (which is a pretty common processor for residential
> > gateways) showed that under 80Mbps UDP traffic, with NAT enabled,
> > checksum check takes about 15% CPU.
> The first question would be whether this is really checksumming
> done by netfilter or by the UDP code. Since enabling checksum
> offloading seems to help, this points to the UDP code. In case
> it is netfilter, the second question would be whether its
> checksum verification or updates.
> > BTW, while we are on the subject, the overhead of netfilter itself,
> > i.e. the difference in CPU utilization of kernel with and without
> > netfilter on the above platform is more than 5%. Is there anybody hear
> > willing to discuss this ?
> Is this with netfilter modules (like iptables, conntrack, NAT, ...)
> loaded or just by enabling netfilter in the configuration?
Just netfilter, no modules.
Strangely enough, this only happens with bridge configuration. With
router configuration the difference in CPU utilization is minor,
however with bridge it is huge - about 25% on my system.
> BTW, which kernel version are you talking about?
More information about the netfilter-devel