rosenhouse/iptables-perf.md

## iptables-perf.md

      
    Raw
  

              iptables-perf.md
            
          
    Set up

vagrant init ubuntu/xenial64  # or use ubuntu/trusty64 for a comparison point
vagrant up
vagrant ssh
Basics

Run these inside the vagrant box
sudo su
iptables -S        # see it is empty
./list-addrs 251   # see it print addresses, wrapping after 250 in LSB

time (./list-addrs 100 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
iptables -F FORWARD       # flush all rules from the FORWARD chain
Results

As a graph
Kernel 4.4 (Ubuntu 16.04 "Xenial")

root@ubuntu-xenial:/home/ubuntu# iptables -F FORWARD
root@ubuntu-xenial:/home/ubuntu# time (./list-addrs 100 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real  0m0.102s
user  0m0.000s
sys   0m0.012s

root@ubuntu-xenial:/home/ubuntu# iptables -F FORWARD
root@ubuntu-xenial:/home/ubuntu# time (./list-addrs 1000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real  0m2.269s
user  0m0.036s
sys   0m0.356s

root@ubuntu-xenial:/home/ubuntu# iptables -F FORWARD
root@ubuntu-xenial:/home/ubuntu# time (./list-addrs 2000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real  0m11.709s
user  0m0.572s
sys   0m7.252s

root@ubuntu-xenial:/home/ubuntu# iptables -F FORWARD
root@ubuntu-xenial:/home/ubuntu# time (./list-addrs 3000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real  0m33.965s
user  0m1.380s
sys   0m26.804s

Kernel 3.13 (Ubuntu 14.04 "Trusty")

root@vagrant-ubuntu-trusty-64:/vagrant# iptables -F FORWARD
root@vagrant-ubuntu-trusty-64:/vagrant# time (./list-addrs 100 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real  0m0.079s
user  0m0.005s
sys   0m0.072s

root@vagrant-ubuntu-trusty-64:/vagrant# iptables -F FORWARD
root@vagrant-ubuntu-trusty-64:/vagrant# time (./list-addrs 1000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real  0m0.815s
user  0m0.061s
sys   0m0.742s

root@vagrant-ubuntu-trusty-64:/vagrant# iptables -F FORWARD
root@vagrant-ubuntu-trusty-64:/vagrant# time (./list-addrs 2000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real  0m2.277s
user  0m0.287s
sys   0m1.956s

root@vagrant-ubuntu-trusty-64:/vagrant# iptables -F FORWARD
root@vagrant-ubuntu-trusty-64:/vagrant# time (./list-addrs 3000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real  0m3.975s
user  0m0.504s
sys   0m3.402s

Follow up

iptables-restore performs better.

  
## list-addrs
#!/bin/bash

nRules="$1"

set -euf -o pipefail

if [ -z "$nRules" ]; then
        echo "specify an integer number of addresses to generate"
        exit 1
fi

if [ "$nRules" -eq "$nRules" 2>/dev/null ]
then
        echo -n ""
else
        echo "specify an integer number of addresses to generate"
        exit 1
fi

for i in $(seq 0 $(( $nRules - 1)) ); do
        lowbyte="$(( $i % 250 ))"
        nextbyte="$(( $i / 250 ))"
        addr="10.10.${nextbyte}.${lowbyte}"
        echo "$addr"
done
	#!/bin/bash

	nRules="$1"

	set -euf -o pipefail

	if [ -z "$nRules" ]; then
	echo "specify an integer number of addresses to generate"
	exit 1
	fi

	if [ "$nRules" -eq "$nRules" 2>/dev/null ]
	then
	echo -n ""
	else
	echo "specify an integer number of addresses to generate"
	exit 1
	fi

	for i in $(seq 0 $(( $nRules - 1)) ); do
	lowbyte="$(( $i % 250 ))"
	nextbyte="$(( $i / 250 ))"
	addr="10.10.${nextbyte}.${lowbyte}"
	echo "$addr"
	done