Add to Technorati Favorites

High Speed Firewalling in Linux

Posted by Roel Gloudemans on 31 January 2008 | 2 Comments

Tags: network, high performance, linux

In this age of virtualization, cluster and grid applications, the load on the server network interface tends to increase. Multi-homed servers were rare not more than 5 years ago, nowadays servers come with 4 NICs pre-installed. This, of-course, increases complexity and network cost. Today I made a proposal for a couple of servers with more than 10 Gigabit interfaces. With the current state of technology, we are approaching the break even point for 10 Gigabit network interfaces. This year will see the breakthrough of 10Gigabit over copper in the datacentre.

The reduction of the number of interfaces will at least simplify the physical infrastructure, but I think management cost will decrease as well.

But what performance can we expect from 10GB/s interfaces. Not too long ago, servers had trouble even saturating a single 1Gigabit interface. I did some tests myself, using a Sun X4100 server running Centos 5 (Linux) and some quick kernel tuning. I was not disappointed with the results. I managed to get a throughput of 8.5 Gigabit per second, using TCP/IP over Ethernet (using Jumbo frames). These kinds of throughput are only possible with a NIC that supports TCP/IP offloading, like a Myricom card. I did this test also with an older 10Gigibit Intel NIC and I got stuck at 3.5 Gigabit per second. In all cases one CPU core was fully used to process and transmit/receive.

For normal business applications, or high speed Internet connections the Firewalling is a must. So what is the performance penalty?

It is surprisingly small. Network latency anly increases by 2 microseconds (1-2% increase) and bandwidth suffers 10-25Mbit per second; that's less than 0.5%
I am still analyzing the test results for one of the customers I work for, but I'd say that the (Linux) server is ready for the next step in networking.

The image below shows a graph of network frame spacing against bandwidth. Each line represents an IPtables ruleset compared against the baseline performance (without rulesets)


Post your comment

Comments

  • @yo
    Sorry, the equipment I used is now on a fibre connection between two supercomputers. It is actually a new experiment, since I have now one system with 2 10Gb/E cards (Myrinet).

    This created a problem since the option ROM of thew X4100 server did not have enough space to use both cards. So the option ROM isn't used for one card. But since both cards are the same I'm hoping it will work (Linux detects them both). Also a new firmware revision for the server makes mention of this issue.

    The computer will have at least some NAT rules and I also plan some conventional rules. Traffic will be a mix of UDP and TCP. I'm looking forward to the results. If I have any, I will post them of course.

    Posted by Roel Gloudemans, 16/02/2008 11:11am (9 months ago)

  • Hey, any possiblity you could test OpenBSD also? i really like to see their PF firewall at these speeds

    Posted by yo, 15/02/2008 8:48am (9 months ago)

RSS feed for comments on this page