lp:~christof-mroz/hipl/hipfw-esp-speedup
This branch contains the principal improvement from the old hipfw-performance branch:
Dynamic insertion and deletion of iptables rules for known SPI/Destination IP pairs, in order to prevent packets that don't need further processing from being received by ip_queue, which would otherwise result in a useless kernel-userspace round trip and thus a considerable performance hit.
Quoting from my original mail:
<snip>
=== trunk ===
-------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
-------
[ 4] local 2001:10:
with 2001:11:
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.3 sec 12.0 MBytes 9.80 Mbits/sec
-------
Client connecting to 2001:10:
TCP window size: 16.0 KByte (default)
-------
[ 3] local 2001:11:
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.1 sec 12.0 MBytes 9.97 Mbits/sec
=== hipfw-performance ===
-------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
-------
[ 4] local 2001:10:
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 21.1 MBytes 17.7 Mbits/sec
-------
Client connecting to 2001:10:
TCP window size: 16.0 KByte (default)
-------
[ 3] local 2001:11:
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 21.1 MBytes 17.7 Mbits/sec
</snip>
This feature is currently opt-in and can be turned on using the -u command line option. Otherwise, everything should behave as before.
Even if ip_queue is bypassed for a connection, timeouts should still work as expected, with all associated rules getting removed.
- Get this branch:
- bzr branch lp:~christof-mroz/hipl/hipfw-esp-speedup
Branch merges
- René Hummen: Approve
- Stefan Götz (community): Approve
- Diego Biurrun: Pending requested
-
Diff: 1091 lines (+720/-22)14 files modifiedMakefile.am (+1/-0)
firewall/conntrack.c (+366/-7)
firewall/conntrack.h (+3/-0)
firewall/firewall.c (+1/-0)
firewall/firewall.h (+1/-0)
firewall/firewall_defines.h (+4/-0)
firewall/helpers.c (+54/-9)
firewall/helpers.h (+5/-1)
firewall/main.c (+25/-2)
firewall/pisa.c (+5/-0)
test/check_firewall.c (+3/-1)
test/firewall/conntrack.c (+192/-2)
test/firewall/helpers.c (+59/-0)
test/firewall/test_suites.h (+1/-0)
Branch information
Recent revisions
- 5804. By Christof Mroz
-
Fix unsigned <-> signed cast direction.
A signed value that's known to be positive may be safely cast into an unsigned
value, but cast unsigned to signed carries the risk of overflow (in C).
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:hipl