iptables筆記-1


測試規則數與效能的關聯

測試相關資訊

使用iperf 進行iptables 效能測試

Server:ubuntu 20.04, IP:192.168.0.29

Client:ubuntu 16.04, IP:192.168.0.30

Case 1.

未在iptables 內隨意增加規則

root@test-Standard-PC:~# iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size:  128 KByte (default)
------------------------------------------------------------
[  4] local 192.168.0.29 port 5001 connected with 192.168.0.30 port 36432
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-600.0 sec   741 GBytes  10.6 Gbits/sec
root@test-Standard-PC:~# iperf -c 192.168.0.29 -i 10 -t 600
------------------------------------------------------------
Client connecting to 192.168.0.29, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
~~~
~~~
[  3]  0.0-600.0 sec   743 GBytes  10.6 Gbits/sec

從cacti上擷取數據可以CPU Utilizationr集中在同一個CPU平均為92%,平均傳輸封包iperf計算是10.6Gbps而cacti則為9.95Gbps,pps在cacti上可以看到平均是20.73Kpps




使用ping測試100個封包測試

root@cacti:~# ping 192.168.0.29 -c 100
~~
~~
--- 192.168.0.29 ping statistics ---
100 packets transmitted, 100 received, 0% packet loss, time 101360ms
rtt min/avg/max/mdev = 0.133/0.258/0.337/0.037 ms

Case 2.

在iptables 內隨意增加1W條規則與測試IP不同的規則

for ((i=1;i<=100;i++));do for((j=1;j<=100;j++));do iptables -A INPUT -s $i.10.193.$j -j DROP;done; done
root@test-Standard-PC:~# iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size:  128 KByte (default)
------------------------------------------------------------
[  4] local 192.168.0.29 port 5001 connected with 192.168.0.30 port 36436
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-600.0 sec   372 GBytes  5.33 Gbits/sec
iperf -c 192.168.0.29 -i 10 -t 600
------------------------------------------------------------
Client connecting to 192.168.0.29, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
~~~
~~~
[  3]  0.0-600.0 sec   372 GBytes  5.33 Gbits/sec

從cacti上擷取數據可以CPU Utilizationr集中在同一個CPU平均為94%,平均傳輸封包iperf計算是5.33Gbps而cacti則為5.06Gbps,pps在cacti上可以看到平均是10.30Kpps




使用ping測試100個封包測試

root@cacti:~# ping 192.168.0.29 -c 100
~~
~~
--- 192.168.0.29 ping statistics ---
100 packets transmitted, 100 received, 0% packet loss, time 101357ms
rtt min/avg/max/mdev = 0.319/0.427/0.553/0.045 ms

小節

從兩個案例可以看到iptables內新增大量規則會影響到傳輸的效能(throughtput),雖然system cpu usage下降可是整體CPU使用率仍舊一樣高。主要原因為iptables規則是由上到下且在測試中與測試用IP相異,因此每個封包進入後都必須經過1W次的逐一往下遍歷,所以會增加大量的處理時間進而導致傳輸效能的下降。

#iptables






你可能感興趣的文章

Day 03:  GraphQL and GiHub GrapQL - Operations, Variables, and Mutations

Day 03: GraphQL and GiHub GrapQL - Operations, Variables, and Mutations

[MTR04] W2 D3 JS 基礎:陣列、物件與變數

[MTR04] W2 D3 JS 基礎:陣列、物件與變數

D29_第三週作業

D29_第三週作業






留言討論