請教NF_QUEUE的性能

davhuang

請教，使用NF_QUEUE將數據包轉到用戶空間，作修改判斷，比起直接在內核中作，性能差別會有多大？

儘管作者很推薦，但的確不知性能會差多少，還是心有惴惴。

Using the libipq library and the `ip_queue' module, almost anything which can be done inside the kernel can now be done in userspace. This means that, with some speed penalty, you can develop your code entirely in userspace. Unless you are trying to filter large bandwidths, you should find this approach superior to in-kernel packet mangling.

據說2.6.1x之後的 nf_queue 比原先的 ip_queue 還有改善。

有若干防火牆，如snort-inline，nufw等，也用nf_queue實現，似乎也可用在大流量情況下。

有朋友使用過，了解其性能如何嗎？

platinum

使用 NFQUEUE 增加了从内核态到用户态的复制工作，势必影响性能
但在用户态可做的工作很多，比如有丰富的库可以使用，还可以使用多线程
在目前多核架构的 X86 系统中，使用 NFQUEUE 并不一定就会导致性能低下

davhuang

為何在 X86 系统中性能不低呢？
Mips, ARM中如何？

性能受影響免不了，就是不知道會差多少

platinum

為何在 X86 系统中性能不低呢？
davhuang 发表于 2010-09-07 14:47

这个结论你从哪得到的？断章取义了吧？

MIPS 的低端产品和 ARM 中更差，因为 CPU 本来就低，那些东西适合作手机产品
但是 MIPS64 那种多核架构（NSP）又是另一码事了，实现起来完全不同，这里就不讨论了

至于性能差多少，没有现成的 workbench 资料，只能自己测了

davhuang

在這裏找到一點數據
http://www.debian-administration.org/articles/540

Some benchmarks...

System: Intel Core 2 Duo T7200 2GHz (which was running with 1GHz all the time),
2GB RAM, 100Mb networkcard

During the tests the complete bandwith of 100Mbit was used (only Upload).

- Using scp to copy one 1500 MByte file to another machine in my LAN with
100Mbit cards without nfqueue

time of scp:
23,42s user 13,75s system 27% cpu 2:17,01 total

- the same copying with nfqueue and 165,000 rules inserted, with the above script which filters in INPUT and OUTPUT chains. Every packet was send to nfqueue, not just the ones with state NEW. Logging of nfqueue was disabled.

time of scp:
42,05s user 21,24s system 45% cpu 2:19,61 total

average cpu usage of nfqueue was:
* thread that was listening on the INPUT chain 7%
* thread that was listening on the OUTPUT chain 11%

The same test with 77,000 rules
time of scp:
42,01s user 21,44s system 45% cpu 2:19,80 total

nfqueue was running with 10% on the OUTPUT thread
and 7% on the other.

似乎性能相差還是不小。

種種原因，最終還是不用nf_queue了，有機會我自己測一下性能，與大家分享。