[置顶] iptables 性能测试

一直研究iptables 性能，这几天刚好有硬件资源，于是发始下手测试iptables NAT 性……

硬件环境：

服务器： IBM x3650 ( 4G E5645 6核 12线程) ESXi

测试服务器： Ser1 配置 ( 1.5G 4核心 redhat 6.2 x64 iptables v 1.4)

测试服务器： windows xp (512内存,2核心 ),Endpoint 用

网络环境：Gbps

测试软件：业界公认的Ixchariot

TOP图

NAT FORWARD 默认为DROP

生成测试所需要的 iptables 规则，下面贴出生成iptables 脚本：

#!/bin/bash

###

##regard

#default output iptables policy file name is "iptables_policy",Please completed renamed

#default output mac bandding file name is "mac_policy",please completed renamed

###

start_ip=1

end_ip=3000

ip_n=0

## ip_n is subnet [ example 192.168.iP_n.x ]

###----------------------------------------------------------------------------

###                        PRIGRAM

###----------------------------------------------------------------------------

##############

	while [ $start_ip -le $end_ip ]

#	echo "[ $start_ip -gt $end_ip ]"

	do

 	 	if [ $start_ip -eq 254 ]

               then

                       ip_n=$(($ip_n + 1))

                       start_ip=1

                       end_ip=$(($end_ip - 253))

                      #reserve end_ip.254 (SSH control port)

               fi

   iptables -A FORWARD -i eth0  -s 192.168.$ip_n.$start_ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

   echo "#arp -i" '$in_net' " -s 192.168.$ip_n.$start_ip "                                      >> mac_policy

   ##display

   echo "#iptables -A FORWARD add 192.168.$ip_n.$start_ip   [OK] ; arp -i [ interface ] -s 192.168.$ip_n.$start_ip    [OK] "

	start_ip=$(($start_ip + 1 ))

	done

30k 条规则测试测试主机ACCEPT 在最后一条，ixchariot 测试结果：

Test Execution (Endpoint 1 to Endpoint 2)

Group/ Pair	Endpoint 1	Endpoint 2	Network Protocol	Service Quality	Script/Stream Name
All Pairs
Pair 1	192.168.10.249	192.168.100.24	TCP		Throughput.scr

Throughput

Group/ Pair	Average (Mbps)	Minimum (Mbps)	Maximum (Mbps)	Throughput 95% Confidence Interval	Measured Time (secs)	Relative Precision
All Pairs	81.009	52.875	94.787
Pair 1	81.059	52.875	94.787	3.497	98.694	4.314
Totals:	81.009	52.875	94.787

服务器使用率：

关于si 、ksoftirqd 等这里就不作解释。

50k 条规则测试测试主机ACCEPT 在最后一条，ixchariot 测试结果：

Test Execution (Endpoint 1 to Endpoint 2)

Group/ Pair	Endpoint 1	Endpoint 2	Network Protocol	Service Quality	Script/Stream Name
All Pairs
Pair 1	192.168.10.249	192.168.100.24	TCP		Throughput.scr

Throughput

Group/ Pair	Average (Mbps)	Minimum (Mbps)	Maximum (Mbps)	Throughput 95% Confidence Interval	Measured Time (secs)	Relative Precision
All Pairs	78.976	60.286	94.787
Pair 1	79.023	60.286	94.787	3.418	101.236	4.326
Totals:	78.976	60.286	94.787

服务器性能：

把测试主机放在第一条时测试：

无论是 30k规则还是50k规则

Measured Time (secs) < 15 secs

说明iptables 规则顺序与延时有极为重要的关系，稍后附测试数据，与NetBSD 的PF 性能，敬请关注！