Benchmarking Conntrack in NetFilter Workshop

Benchmarking Conntrack in NetFilter Workshop
Slide Note
Embed
Share

This content provides insights into benchmarking conntrack in a NetFilter workshop by Joe Stringer on June 24, 2015. It includes details on benchmarks, metrics, test environment, methodology, baseline, test cases, linear chains, map-based approaches, and OVS OpenFlow rules.

  • Benchmarking
  • Conntrack
  • NetFilter
  • Workshop
  • Joe Stringer
bbra
bbra Follow

Uploaded on Apr 13, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Benchmarking conntrack NetFilter Workshop Joe Stringer 2015-06-24

  2. Benchmarks Metrics o Connections per second (TCP_RR/CRR) o Cycles per connection (perf stat) Comparison o Base figures, ipt/nft/ovs Use cases Tools

  3. Test Environment br/ovs/ipt/nft 10G: Intel X540 10G: BCM57810 Source Linux-3.13 Transit Linux-4.0 Sink Linux-3.13 2x Intel Xeon CPU E5-2650 @ 2.00GHz

  4. Methodology Tune netfilter parameters o eg TCP_TIMEOUT_WAIT=1s Configure setup, no more, no less o eg no nf_conntrack,netfilter_bridge for L2 Run tests (perf, netperf) for 30s, sleep 2s 6 sizes * 4 thread configurations * 3 tries

  5. Baseline

  6. Test case Allowing 1000 IPs But traffic isn t matching the first 1K Finally, apply firewall Allow all one direction Allow established in reverse

  7. Linear chains -A FORWARD -i p2p1 -p tcp -s 192.170.0.1 -j ACCEPT x1000 -A FORWARD -i p2p1 -p tcp -s 172.31.1.35 -j ACCEPT -A FORWARD -i p3p1 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED - j ACCEPT -A FORWARD -i p3p1 -p tcp -j DROP

  8. Baseline Linear iteration

  9. OK, everyone knows linear = slow So how about the map-based approaches? ovsct: o openvswitch with wip conntrack support nftables: o using sets, verdict maps ipset

  10. OVS OpenFlow Rules in_port=2,conn_state=-trk,tcp,nw_src=192.170.0.1/32, action=ct(recirc,zone=0) in_port=2,conn_state=+trk,tcp,nw_src=192.170.0.1/32, action=ct(commit,zone=0),1 in_port=1,conn_state=-trk,tcp,nw_dst=192.170.0.1/32, action=ct(recirc,zone=0) in_port=1,conn_state=+trk+est-new,tcp,nw_dst=192.170.0.1/32, action=2 in_port=1,conn_state=+trk-est+new,tcp,nw_dst=192.170.0.1/32, action=drop priority=10,arp,action=normal priority=10,icmp,action=normal priority=1,action=drop (lowest priority)

  11. Netfilter sets table filter { chain forward { type filter hook forward priority 0; iif p2p1 ip saddr @allowed ip protocol tcp accept iif p2p1 ip saddr 172.31.1.35 ip protocol tcp accept iif p2p2 ip saddr @allowed ip protocol tcp accept iif p2p2 ip saddr 172.31.1.27 ip protocol tcp accept iif p3p1 ip protocol tcp ct state established|related accept iif p3p1 ip protocol tcp drop } }

  12. Netfilter set elements table filter { set allowed { type ipv4_addr; elements = { 192.170.0.1, } } }

  13. Netfilter maps table ip filter { map allowed { type ipv4_addr : verdict; } chain forward { type filter hook forward priority 0; iif p2p1 ip protocol tcp ip saddr vmap @allowed iif p2p1 ip saddr 172.31.1.35 ip protocol tcp accept iif p2p2 ip protocol tcp ip saddr vmap @allowed iif p2p2 ip saddr 172.31.1.27 ip protocol tcp accept iif p3p1 ip protocol tcp ct state established|related accept iif p3p1 ip protocol tcp drop } }

  14. Netfilter map elements add element filter allowed { 192.170.0.1 : accept, }

  15. Baseline Maps Linear iteration

  16. No policy enforced Policy enforced

  17. Performance Isolation Conntrack in multi-tenant environments If Coke gets lots of connections, ensure it doesn t impact Pepsi Per-zone configuration? o Connection limits o Timeouts o Ratelimiting

  18. Sources Linux 4.0.5 from kernel.org nftables, libnftnl git @ 2015-06-06 https://github.com/justinpettit/ovs conntrack http://people.netfilter.org/kadlec/nftest.pdf super_netperf and friends https://github.com/joestringer/ct_perf

  19. Thank You joestringer@nicira.com

Related


Energy and Water Benchmarking for Commercial Buildings

Energy and Water Benchmarking for Commercial Buildings

lucinda
Effective Strategies for Writing and Benchmarking IEP Goals

Effective Strategies for Writing and Benchmarking IEP Goals

amin
Improving Energy Efficiency Through Benchmarking and Transparency

Improving Energy Efficiency Through Benchmarking and Transparency

satchel
Agency Ethics Program Assessment and Benchmarking Insights

Agency Ethics Program Assessment and Benchmarking Insights

karma
Benchmarking of 802.11ax for eMBB Indoor Hotspot Using IMT-2020 Simulation Methodology

Benchmarking of 802.11ax for eMBB Indoor Hotspot Using IMT-2020 Simulation Methodology

mead_r
Training Session Notes: Spreadsheet Model for Benchmarking Ontario LDCs

Training Session Notes: Spreadsheet Model for Benchmarking Ontario LDCs

rano105
Proposed Methodology for Benchmarking SDG 4 Progress and Categorizing Recent Progress

Proposed Methodology for Benchmarking SDG 4 Progress and Categorizing Recent Progress

krug_m
Data Quality Workshop: Achieving Excellence in Housing Management

Data Quality Workshop: Achieving Excellence in Housing Management

paul_oic
Insights into ACO Benchmarking and Working Patterns Survey Findings

Insights into ACO Benchmarking and Working Patterns Survey Findings

she_sic
Australasian Allied Health Benchmarking Consortium Overview

Australasian Allied Health Benchmarking Consortium Overview

abd_bu
Benchmarking UN/EDIFACT Standard in Port Terminals

Benchmarking UN/EDIFACT Standard in Port Terminals

calv_911
Benchmarking in Student Learning Assessment

Benchmarking in Student Learning Assessment

ubri
OVS DPDK Practice in Real Public Cloud: Solutions for Performance Optimization

OVS DPDK Practice in Real Public Cloud: Solutions for Performance Optimization

fmiq
Enhancing Business Performance Through Big Data Benchmarking

Enhancing Business Performance Through Big Data Benchmarking

lzahe
Benchmarking for Policy Evaluation

Benchmarking for Policy Evaluation

cwynk
Database Benchmarking: Embedded Databases Comparison

Database Benchmarking: Embedded Databases Comparison

erei
Benchmarking Study of Probabilistic Fracture Mechanics Codes for Piping

Benchmarking Study of Probabilistic Fracture Mechanics Codes for Piping

jos_o
Challenges in Government Planning: The Importance of Quality Frameworks

Challenges in Government Planning: The Importance of Quality Frameworks

evon_ana
Blood Health National Oversight Group Data & Benchmarking Summer 2018

Blood Health National Oversight Group Data & Benchmarking Summer 2018

diogole
VISION 10:2022: A REVIEW OF SIGNIFICANT BENCHMARKS

VISION 10:2022: A REVIEW OF SIGNIFICANT BENCHMARKS

medidoc
AREGNET Price Benchmarking Study 2012

AREGNET Price Benchmarking Study 2012

kae_rus
Internet of Things Embedded Database Benchmarking

Internet of Things Embedded Database Benchmarking

remingt

More Related Content