tech-kern: Re: On the performance of ipfilter

Subject: Re: On the performance of ipfilter
To: David Howland <metalliqaz@fastmail.fm>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-kern
Date: 04/06/2005 12:01:44
On Tue, Apr 05, 2005 at 07:08:13PM -0400, David Howland wrote:
> I have an awful pesky problem with IPFilter (I think).  First, some 
> background:
> 
> I use NetBSD in my home as a kind of "household server".  We have mostly 
> Windows based desktop and laptop clients, and the NetBSD machine hooks 
> up to the cable modem and performs IPF/NAT/http/mail duties.  The 
> machine is PIII 500MHz, 512MB, should be plenty for what it does.  It 
> has two NICs, both 3Com 3C905B.  It doesn't run X, and besides the basic 
> stuff like cron and inetd, all it runs is ssh, apache, smb, ntp, 
> sendmail, dhcpd, dnsmasq.  The only time it ever hits the swap is when I 
> recompile the OS.
> 
> I have these pesky problems with the machine getting laggy or dropping 
> packets.  The problem is difficult to fix.  I now believe that the 
> problem is with ipfilter.  I'll explain:
> 
> [...]
> 
> The pings to the "inside" and "outside" adapter never show anything but 
> <1ms ping time and never drop packets.  The cable modem ping is less 
> than desirable.  Whats worse is that I can cause packet loss to occur. 
> I have a cron script run every 5 minutes for MRTG.  When this happens, 
> it _always_ drops some packets (even when nice'd).  This is not the only 
> time when packets are dropped, and I have a hunch that other times are 
> due to other processes going on processor.
> 
> It can't be the driver, the "inside" adapter never flinches.  It 
> probably isn't option GATEWAY, because the "outside" adapter never 

No, as both addresses are local, it won't go to the routing path.
using the inside or the outside address won't change anything for your
test.


> flinches.  However, to go outside the box to the cable modem, it has to 
> go through ipf/ipnat.

Yes.

> 
> So, it seems to me that there is perhaps some performance problem with 
> IPFilter in the kernel?

Probably not. I use a sparc IPC to do the same job at home, and I've no such
problems (it also has mrtg running). It has a 25Mhz CPU and 48MB ram.

Does the kernel print some message about NMBCLUSTERS (in /var/log/messages,
or dmesg) ? How much state entries to you have in kernel when this happens
(use ipnat -l and ipfstat -sl) ?

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--