Paul Rusty Russell
Tue, 28 Sep 1999 13:07:20 +0930
In message <37EF7877.46CF0D08@planNET.de> you write:
> hi rusty,
> in your todo-list i found "Serious benchmarking"
> what things in your opinion are attributes for Serious benchmarking ?
I don't want to benchmark just to see pretty numbers, I want
to use it to figure out where to optimize the code (for example, what
order should the comparisons in iptables be in, and should we get rid
of the function calls for TCP/UDP/ICMP for connection tracking?).
I have a 2GB dump of real traffic off a real office LAN to the
internet. Running this through different firewall realistic setups
and measuring packet loss; the idea was to use a slow box between two
fast boxes, and speed up the connection rate until you se the box
start to lose packets badly (> 0.1% say). I'd do: no firewalling,
masquerading only, static NAT (compare Alexey's FAST NAT), simple
firewalling (about 10-20 rules) and DMZ firewalling (something like
the Serious Example from the HOWTO, without masquerading). You might
want to measure latency as well.
However, you can't simply play back the traffic at a faster
speed; you want to keep each connection the same speed, and just start
them closer together, which is more like what happens as your network
gets bigger (the Internet doesn't speed up, but you get more traffic).
Writing the code to take a `tcpdump -s 1500 -w' and do this kind of
manipulation is worth its weight in gold (say, +5 points 8-).
> whats the most important points i shoud cover with my measurements?
The most important point (for me) is that someone does this and tweaks
the code: it's completely unoptimized at the moment, and there's
definitely room for serious improvement.