tproxy performance issues on different 2.6 kernels
Hi, I'm working on a firewall (reveresed-proxy) that needs to provide the "foreign connection" feature , my firewall read the requests from clients, and passes on the requests to the server , so i'm using the foreign-connect so that the server sees the real client's IP It seems that i have some performance problems: - On kernel 2.6.15 , even without the TPROXY patches i get lousy performance , it seems that this is a well known bug with E1000 drivers , so i can't use this kernel - On kernel 2.6.10 + tproxy 2.0.1 , i got nice results without the tproxy patch, but when i added the tproxy - i got lousy performance - On kernel 2.6.14.7 + tproxy 2.0.3 , i got great results without the tproxy patch (4500 trans/sec) , but when i added the tproxy - it was 3 times slower (1500 trans/sec) with many "failed to create a socket" errors Now, since i would like to stick with the (almost) latest versions, i believe that 2.6.14.7 is enough for me, but i would appreciate to know : 1. are there any knows performance issues with the 2.6.14.7 kernel or with the tproxy-2.0.3 ? 2. my "kernel config" uses the following settings: CONFIG_NETFILTER=y CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_TPROXY=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y do i need all these settings to get the "foreign-connect" or can i skip some and gain better results ? thank you very much, zvi ferents
It seems that i have some performance problems: - On kernel 2.6.15 , even without the TPROXY patches i get lousy performance , it seems that this is a well known bug with E1000 drivers , so i can't use this kernel - On kernel 2.6.10 + tproxy 2.0.1 , i got nice results without the tproxy patch, but when i added the tproxy - i got lousy performance - On kernel 2.6.14.7 + tproxy 2.0.3 , i got great results without the tproxy patch (4500 trans/sec) , but when i added the tproxy - it was 3 times slower (1500 trans/sec) with many "failed to create a socket" errors
Try these https://lists.balabit.hu/pipermail/tproxy/2006-July/000273.html
CONFIG_NETFILTER=y CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_TPROXY=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y
do i need all these settings to get the "foreign-connect" or can i skip some and gain better results ?
You can try enabling/disabling "NAT reservations". Jan Engelhardt --
How can I see (when compiling a new kernel) if tproxy patch is really applied? Thanks Edinilson --------------------------------------------------------- ATINET-Professional Web Hosting Tel Voz: (0xx11) 4412-0876 http://www.atinet.com.br
How can I see (when compiling a new kernel) if tproxy patch is really applied?
Since it is not in the mainline kernel, it is simple: Either you patched it in, or you did not. grep for TPROXY and tproxy in the source tree, and if you find nothing, then it is not in. If you find something, it may be included, in part or completely. Jan Engelhardt --
Then I think that I'm missing something somewhere because patch seems to be OK but, if I try: iptables -t tproxy -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip 0.0.0.0 The following error raises: iptables v1.3.5: Unknown arg `--on-port' Try `iptables -h' or 'iptables --help' for more information. If I try: iptables -t tproxy -A PREROUTING The following error raises: FATAL: Module ip_tables not found. iptables v1.3.5: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Thanks for your help Edinilson --------------------------------------------------------- ATINET-Professional Web Hosting Tel Voz: (0xx11) 4412-0876 http://www.atinet.com.br ----- Original Message ----- From: "Jan Engelhardt" <jengelh@linux01.gwdg.de> To: "Edinilson J. Santos" <edinilson@atinet.com.br> Cc: <tproxy@lists.balabit.hu> Sent: Wednesday, September 06, 2006 2:42 PM Subject: Re: Is tproxy installed?
How can I see (when compiling a new kernel) if tproxy patch is really applied?
Since it is not in the mainline kernel, it is simple: Either you patched it in, or you did not. grep for TPROXY and tproxy in the source tree, and if you find nothing, then it is not in. If you find something, it may be included, in part or completely. Jan Engelhardt --
Then I think that I'm missing something somewhere because patch seems to be OK but, if I try: iptables -t tproxy -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip 0.0.0.0 The following error raises: iptables v1.3.5: Unknown arg `--on-port' Try `iptables -h' or 'iptables --help' for more information.
This is a userspace problem. Besides patching the kernel, you also need to patch iptables. You need libipt_TPROXY.so (/usr/lib/iptables, /lib/iptables, depending on distro) on your system for -j TPROXY to work.
If I try: iptables -t tproxy -A PREROUTING The following error raises: FATAL: Module ip_tables not found.
"You are severely screwed". It seems like netfilter is not in your kernel at all.
iptables v1.3.5: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
(Or perhaps one needs to be root.) Jan Engelhardt --
participants (3)
-
Edinilson J. Santos
-
ferents zvika
-
Jan Engelhardt