[OpenWrt-Devel] [PATCH] generic: Fix per interface nf_call_iptables setting
Felix Fietkau
nbd at openwrt.org
Thu Sep 3 06:52:07 EDT 2015
On 2015-09-02 19:47, Sven Eckelmann wrote:
> commit r30917 ("kernel: bypass all netfilter hooks if the sysctls for that
> functionality have been disabled - eliminates the overhead of enabling
> CONFIG_BRIDGE_NETFILTER in the kernel config") introduced an optimization
> which should reduce/eliminate the overhead for traffic send over bridges on
> kernels compiled with CONFIG_BRIDGE_NETFILTER=y. But this optimization
> breaks the nf_call_iptables per bridge setting which is more fine grained
> than the global sysctl net.bridge.bridge-nf-call-iptables setting.
>
> A test reflecting a real world setup was created to identify if this really
> eliminates the overhead and if per-bridge nf_call_iptables could be used in
> some setups to increase the throughput. A Qualcomm Atheros QCA9558 based
> system with one ethernet and an ath9k wifi 3x3 in HT40 mode was used.
> Cables from the AP to the wifi station were used to reduce interference
> problems during the tests.
>
> The wlan interface was put in one bridge interface called br-wlan. This
> bridge usually contains some more wlan interfaces. The eth0 was put in a
> second bridge called br-lan. This usually contains some other privileged
> wlan or mesh interfaces. Routing was added between br-lan and br-wlan.
>
> Three kernels were tested:
>
> * (default) OpenWrt kernel for this device
> * (brfilter-global) OpenWrt kernel with CONFIG_BRIDGE_NETFILTER=y
> * (brfilter-local) OpenWrt kernel with CONFIG_BRIDGE_NETFILTER=y and
> without 644-bridge_optimize_netfilter_hooks.patch
>
> The changes to the the netfilter settings of the bridge were done via:
>
> * (brfilter-global) /sbin/sysctl -w net.bridge.bridge-nf-call-iptables=1
> * (brfilter-lobal) echo 1 > /sys/class/net/br-lan/bridge/nf_call_iptables
> and/or echo 1 > /sys/class/net/br-wan/bridge/nf_call_iptables
>
> A station connected to the wlan0 (AP) interface was used to send traffic to
> a PC connected via ethernet. iperf with 3 concurrent transmissions was used
> to generate the traffic.
>
> | kernel | br-nf-* global | nf-call* iface | download | upload |
> |-----------------|----------------|----------------|----------|----------|
> | default | 0 | - | 209 | 268 |
> | brfilter-global | 0 | - | 185 | 243 |
> | brfilter-local | 0 | - | 187 | 243 |
> | brfilter-local | 0 | br-lan | 157 | 226 |
> | brfilter-local | 0 | br-lan br-wlan | 139 | 161 |
> | brfilter-global | 1 | - | 136 | 162 |
>
> Download/upload results in Mibit/s
>
> It can be seen that the patch doesn't eliminate the overhead. It can also
> be seen that the throughput of brfilter-global and brfilter-local with
> disabled filtering is the roughly the same. Also the throughput for
> brfilter-global and brfilter-local for enabled filtering on all bridges is
> roughly the same.
>
> But also the brfilter-local throughput is higher when only br-lan requires
> the filtering. This setting would not be possible with
> 644-bridge_optimize_netfilter_hooks.patch applied and thus can only be
> compared with brfilter-global and filtering enabled for all interfacese
Did your test have the ebtables modules loaded or not? If I remember
correctly, the patch you're removing was added mainly for the case where
CONFIG_BRIDGE_NETFILTER=y is set, but ebtables is not loaded.
- Felix
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list