[LEDE-DEV] [RFC] Enable kmod-ipt-debug by default
Carl-Daniel Hailfinger
c-d.hailfinger.devel.2006 at gmx.net
Fri May 27 03:45:12 PDT 2016
Hi Jo,
On 27.05.2016 10:33, Jo-Philipp Wich wrote:
>
> with enabled by default you mean that is is getting build and
> installable with opkg?
Yes.
> If a kmod is specifically disabled by default settings then it usually
> has a performance penalty attached with it, even when not loaded.
>
> I'd be grateful if someone could do some iperf throughput testing with
> and without kmod-ipt-debug built/enabled/loaded and see if it makes any
> difference at all.
I did look at the code, and AFAICS the only code path affected by
compiling but not loading xt_TRACE is:
net/ipv[46]/netfilter/ip_tables.c:ipt_do_table()
The following code is run for each packet once for each firewall rule
if (unlikely(skb->nf_trace))
...
This is a single access to a bit in a bitfield of the skb, i.e.
read+mask and a not-taken branch marked as unlikely. Depending on CPU
architecture (i.e. cost of an unlikely branch not taken), the
performance impact should be minimal given that the skb has been
accessed directly before and it should be already in the CPU cache.
OTOH, using (instead of just compiling) xt_TRACE is going to have a
noticeable performance impact.
If someone wants to perform iperf testing, the key to making the impact
of the additional code path measurable is to have a few hundred iptables
rules matching the iperf traffic. That way, the additional code path
gets maximum impact.
Regards,
Carl-Daniel
More information about the Lede-dev
mailing list