About | Current Status | Documentation | Performance Tests | Downloads | About Us

At the moment we only have simple TCP throughput test results available. In the future we will perhaps add more in-depth tests and other interesting scenarios: latency tests and real work load simulations with realistic rulesets.

Test Setup

The following picture shows the simple setup for our performance test:

2 computers connected via crossover cable

We used two computers directly connected via crossover cable. One is generating the tcp packets and measuring the throughput, the other one is running the packet filter. In our case we are filtering in the INPUT chain. This certainly doesn't represent the real case where people do filtering in the FORWARD chain. We don't think this is a problem, because we are not interested in absolute numbers, we just want to compare the performance of the iptables filter table with the performance of nf-HiPAC, and for this, it doesn't matter where we do filtering.

Computer running the packet filter:

The hardware of the computer that generates the packets doesn't really matter as long as it is fast enough to fill the line. We used a Pentium III with 1.2 Ghz.

The performed test

The performed test illustrates worst case TCP throughput performance for different frame sizes and dependent on the amount of rules loaded into the kernel. We chose three of the frame sizes, that are recommended for ethernet in RFC 1944 , 128 bytes, 512 bytes and 1518 bytes. For each of the frame sizes we repeated the test with different numbers of rules. We started with 25 rules and doubled the number each time until we reached 25600 rules.

Measuring the throughput

When we started to look for network benchmarking tools we were really astonished that there are so few up-to-date and well maintained tools. For our TCP throughput test we finally decided to use iperf . Iperf is a tool to measure maximum TCP bandwidth between two nodes. We used it to generate a TCP stream from the packet generating computer to the packet filter and to measure the throughput. It is not possible to set the frame size directly via iperf, so we had to adjust the MTU accordingly to get the desired frame size values.

Generating the rules

The goal of the test is to simulate worst case performance. We used a simple perl script to construct worst case rulesets for a given number of rules. The iptables filter table uses a linear search algorithm: the data structure is a list of rules stored in order of decreasing priority. A packet is compared with each rule sequentially until a rule is found that matches all relevant fields. The time to classify a packet grows linearly with the number of rules. In order to construct the worst case for the iptables filter table our script makes sure that the algorithm has to traverse the whole chain before having a match. nf-HiPAC uses a more advanced approach to the packet classification problem. Our script generates rulesets for nf-HiPAC that lead to the theoretical worst case performance of the algorithm. Theoretical means that the resulting rulesets for a certain number of rules don't represent realistic rulesets, no ruleset in real use looks like that. When using nf-HiPAC with realistic rulesets you will get much better performance. We currently don't have any documentation available explaining the algorithm. In order to be able to follow why the used rules lead to the theoretical worst case performance of the algorithm you will fist have to understand how it works. We will add in-depth explanations of the rule generation as soon as we have some documentation of the algorithm online.