[置顶] iptables 性能 测试

一直研究iptables 性能，这几天刚好有硬件资源，于是发始下手测试iptables NAT 性……

  硬件环境  ： 

     服务器： IBM x3650 ( 4G  E5645 6核 12线程) ESXi

      测试服务器  ： Ser1 配置 ( 1.5G 4核心 redhat 6.2 x64 iptables v 1.4)

      测试服务器  ： windows xp (512内存,2核心 ),Endpoint 用

          网络环境  ：Gbps

           测试软件：业界公认的Ixchariot 

TOP图

         

NAT FORWARD 默认为DROP 

  生成测试所需要的 iptables 规则，下面贴出生成iptables 脚本：

#!/bin/bash
###
##regard
#default output iptables policy file name is "iptables_policy",Please completed renamed
#default output mac bandding file name is "mac_policy",please completed renamed
###
start_ip=1
end_ip=3000
ip_n=0
## ip_n is subnet [ example 192.168.iP_n.x ]

###----------------------------------------------------------------------------
###                        PRIGRAM 
###----------------------------------------------------------------------------

############## 
	while [ $start_ip -le $end_ip ]
#	echo "[ $start_ip -gt $end_ip ]"
	do
 	 	if [ $start_ip -eq 254 ]
               then
                       ip_n=$(($ip_n + 1))
                       start_ip=1
                       end_ip=$(($end_ip - 253))
                      #reserve end_ip.254 (SSH control port)
               fi
   iptables -A FORWARD -i eth0  -s 192.168.$ip_n.$start_ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
   echo "#arp -i" '$in_net' " -s 192.168.$ip_n.$start_ip "                                      >> mac_policy
   ##display
   echo "#iptables -A FORWARD add 192.168.$ip_n.$start_ip   [OK] ; arp -i [ interface ] -s 192.168.$ip_n.$start_ip    [OK] "
	start_ip=$(($start_ip + 1 ))
	done 

30k 条规则测试 测试主机ACCEPT 在最后一条，ixchariot 测试结果：

 

Test Execution (Endpoint 1 to Endpoint 2)

Group/ Pair	Endpoint 1	Endpoint 2	Network Protocol	Service Quality	Script/Stream Name
All Pairs
Pair 1	192.168.10.249	192.168.100.24	TCP		Throughput.scr

Throughput

Group/ Pair	Average (Mbps)	Minimum (Mbps)	Maximum (Mbps)	Throughput 95% Confidence Interval	Measured Time (secs)	Relative Precision
All Pairs	81.009	52.875	94.787
Pair 1	81.059	52.875	94.787	3.497	98.694	4.314
Totals:	81.009	52.875	94.787

服务器使用率：

关于si 、ksoftirqd 等这里就不作解释。

50k 条规则测试 测试主机ACCEPT 在最后一条，ixchariot 测试结果：

 

Test Execution (Endpoint 1 to Endpoint 2)

Group/ Pair	Endpoint 1	Endpoint 2	Network Protocol	Service Quality	Script/Stream Name
All Pairs
Pair 1	192.168.10.249	192.168.100.24	TCP		Throughput.scr

Throughput

Group/ Pair	Average (Mbps)	Minimum (Mbps)	Maximum (Mbps)	Throughput 95% Confidence Interval	Measured Time (secs)	Relative Precision
All Pairs	78.976	60.286	94.787
Pair 1	79.023	60.286	94.787	3.418	101.236	4.326
Totals:	78.976	60.286	94.787

服务器性能：

 

把测试主机放在第一条时测试：

 无论是 30k规则还是50k规则

Measured Time (secs)  < 15 secs

 说明iptables 规则顺序与延时有极为重要的关系，稍后附测试数据，与NetBSD 的PF 性能，敬请关注！