netfilter benchmarks on two gigabit ethernet cards

Stephen J. Smoogen smooge at
Mon Aug 22 23:30:03 CEST 2005

I dont have any published numbers but what I found was that it
depended on multiple factors:

PCI-Extreme vs PCI-X vs PCI
PCI 32bit vs 64 bit card
switch vendor
card vendor and chipset (intel vs broadcom etc)
Kernel version
  2.4.9 vs 2.4.20 vs 2.4.24 gave different numbers
     vendor kernels also widely different
  2.6.0 vs 2.6.9 also gave different numbers
IA32 vs AMD-64

We were able to get about 89% sustained wire-rate (1.78 Gbit over
2Gbit throughput) on a 1.5 Ghz system with 133 Mhz PCI-X E1000 cards.
The AMD64 system we were spec'ing out would have been useful for
10Gbit traffic.

Things that killed our testing were dealing with small and large
packets on the wire at the same time. The testing guys were used to
testing gbit switches and throwing millions of small packets in with
the large packets and seeing what got through. The netfilter with
2.4.24 kernel didnt do too well (trhoughput fell to 60%) but I didnt
get time to try and tune beyond out of the box.

On 8/22/05, Zef <zef at> wrote:
> Hello
> do you know any benchmarks showing packet per seconds filtering power of
> netfilter running on X86 platforms with two gigabit cards?
> Same question for ARM based platforms.
> I know that this is a silly question cos it is heavily dependent on both
> the hardware platform and the filtering rules, but I really need to know
> the numbers ( or I'll do the tests by myself ).
> Thanks for netfilter.
> Zef'

Stephen J Smoogen.
CSIRT/Linux System Administrator

More information about the netfilter mailing list