一直研究iptables 性能,这几天刚好有硬件资源,于是发始下手测试iptables NAT 性……
硬件环境 :
服务器: IBM x3650 ( 4G E5645 6核 12线程) ESXi
测试服务器 : Ser1 配置 ( 1.5G 4核心 redhat 6.2 x64 iptables v 1.4)
测试服务器 : windows xp (512内存,2核心 ),Endpoint 用
网络环境 :Gbps
测试软件:业界公认的Ixchariot
TOP图
NAT FORWARD 默认为DROP
生成测试所需要的 iptables 规则,下面贴出生成iptables 脚本:
#!/bin/bash
###
##regard
#default output iptables policy file name is "iptables_policy",Please completed renamed
#default output mac bandding file name is "mac_policy",please completed renamed
###
start_ip=1
end_ip=3000
ip_n=0
## ip_n is subnet [ example 192.168.iP_n.x ]
###----------------------------------------------------------------------------
### PRIGRAM
###----------------------------------------------------------------------------
##############
while [ $start_ip -le $end_ip ]
# echo "[ $start_ip -gt $end_ip ]"
do
if [ $start_ip -eq 254 ]
then
ip_n=$(($ip_n + 1))
start_ip=1
end_ip=$(($end_ip - 253))
#reserve end_ip.254 (SSH control port)
fi
iptables -A FORWARD -i eth0 -s 192.168.$ip_n.$start_ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
echo "#arp -i" '$in_net' " -s 192.168.$ip_n.$start_ip " >> mac_policy
##display
echo "#iptables -A FORWARD add 192.168.$ip_n.$start_ip [OK] ; arp -i [ interface ] -s 192.168.$ip_n.$start_ip [OK] "
start_ip=$(($start_ip + 1 ))
done 30k 条规则测试 测试主机ACCEPT 在最后一条,ixchariot 测试结果:
Test Execution (Endpoint 1 to Endpoint 2)
| Group/ Pair | Endpoint 1 | Endpoint 2 | Network Protocol | Service Quality | Script/Stream Name |
|---|---|---|---|---|---|
| All Pairs | |||||
| Pair 1 | 192.168.10.249 | 192.168.100.24 | TCP | Throughput.scr |
Throughput
| Group/ Pair | Average (Mbps) | Minimum (Mbps) | Maximum (Mbps) | Throughput 95% Confidence Interval | Measured Time (secs) | Relative Precision |
|---|---|---|---|---|---|---|
| All Pairs | 81.009 | 52.875 | 94.787 | |||
| Pair 1 | 81.059 | 52.875 | 94.787 | 3.497 | 98.694 | 4.314 |
| Totals: | 81.009 | 52.875 | 94.787 |
服务器使用率:
关于si 、ksoftirqd 等这里就不作解释。
50k 条规则测试 测试主机ACCEPT 在最后一条,ixchariot 测试结果:
Test Execution (Endpoint 1 to Endpoint 2)
| Group/ Pair | Endpoint 1 | Endpoint 2 | Network Protocol | Service Quality | Script/Stream Name |
|---|---|---|---|---|---|
| All Pairs | |||||
| Pair 1 | 192.168.10.249 | 192.168.100.24 | TCP | Throughput.scr |
Throughput
| Group/ Pair | Average (Mbps) | Minimum (Mbps) | Maximum (Mbps) | Throughput 95% Confidence Interval | Measured Time (secs) | Relative Precision |
|---|---|---|---|---|---|---|
| All Pairs | 78.976 | 60.286 | 94.787 | |||
| Pair 1 | 79.023 | 60.286 | 94.787 | 3.418 | 101.236 | 4.326 |
| Totals: | 78.976 | 60.286 | 94.787 |
服务器性能:
把测试主机放在第一条时测试:
无论是 30k规则还是50k规则
Measured Time (secs) < 15 secs
说明iptables 规则顺序与延时有极为重要的关系,稍后附测试数据,与NetBSD 的PF 性能,敬请关注!
1737
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
