TCP/UDP checksum in hardware
Alexander Sirotkin
demiourgos at gmail.com
Thu Mar 8 11:15:11 CET 2007
On 3/5/07, Patrick McHardy <kaber at trash.net> wrote:
> Alexander Sirotkin wrote:
> > On 3/4/07, Patrick McHardy <kaber at trash.net> wrote:
> >
> >> Alexander Sirotkin wrote:
> >> > The reason I'm asking is that computing checksum (in case of NAT, for
> >> > instance) becomes a real problem on embedded devices
> >>
> >> Do you have any data to show this?
> >>
> > I don't know how relevant this is for netfilter, but yes - if the
> > device does not support checksum offloading my benchmark which I ran
> > on 266Mhz MIPS 24K (which is a pretty common processor for residential
> > gateways) showed that under 80Mbps UDP traffic, with NAT enabled,
> > checksum check takes about 15% CPU.
>
> The first question would be whether this is really checksumming
> done by netfilter or by the UDP code. Since enabling checksum
> offloading seems to help, this points to the UDP code. In case
> it is netfilter, the second question would be whether its
> checksum verification or updates.
>
> > BTW, while we are on the subject, the overhead of netfilter itself,
> > i.e. the difference in CPU utilization of kernel with and without
> > netfilter on the above platform is more than 5%. Is there anybody hear
> > willing to discuss this ?
>
> Is this with netfilter modules (like iptables, conntrack, NAT, ...)
> loaded or just by enabling netfilter in the configuration?
>
Just netfilter, no modules.
Strangely enough, this only happens with bridge configuration. With
router configuration the difference in CPU utilization is minor,
however with bridge it is huge - about 25% on my system.
> BTW, which kernel version are you talking about?
>
2.6.16.22
More information about the netfilter-devel
mailing list