'IP filter log performance.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    IP filter log performance.
From:       Darren Reed <darrenr () cyber ! com ! au>
Date:       1996-08-08 15:00:11
[Download RAW message or body]


Doing testing of reading/logging packets on Solaris2, I ran "ipfstat" on
and off whilst flooding the box with pings (ping -f from FreeBSD).  With
only two rules (pass in log all & pass out log all), I watched with some
amusement how slowly the normal pickup really is:

ipmon > /dev/null
.........................................................................................
 input packets:         blocked 0 passed 110012 nomatch 0 counted 0
 input packets:         blocked 0 passed 110012 nomatch 0 counted 0
 packets logged:        input 0-97228 output 0-611011
.........................................................................................
 input packets:         blocked 0 passed 137698 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 137698
 packets logged:        input 0-121804 output 0-638663
.........................................................................................
 input packets:         blocked 0 passed 172040 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 172040
 packets logged:        input 0-152397 output 0-672947
.........................................................................................
 input packets:         blocked 0 passed 212424 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 212424
 packets logged:        input 0-189940 output 0-713257

ipmon -N >/dev/null
.........................................................................................
 input packets:         blocked 0 passed 42172 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 42172
 packets logged:        input 0-41760 output 0-755420
.........................................................................................
 input packets:         blocked 0 passed 113192 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 113192
 packets logged:        input 0-112100 output 0-826430
.........................................................................................
 input packets:         blocked 0 passed 165049 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 165049
 packets logged:        input 0-163472 output 0-878284
.........................................................................................
 input packets:         blocked 0 passed 215517 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 215517
 packets logged:        input 0-213472 output 0-928735

cat /dev/ipf > /dev/null
.........................................................................................
 input packets:         blocked 0 passed 58416 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 58416
 packets logged:        input 0-27685 output 0-956488
.........................................................................................
 input packets:         blocked 0 passed 119603 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 119603
 packets logged:        input 0-55854 output 0-984725
.........................................................................................
 input packets:         blocked 0 passed 198173 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 198173
 packets logged:        input 0-92249 output 0-1021199
.........................................................................................
 input packets:         blocked 0 passed 240838 nomatch 0 counted 0
 input packets logged:  blocked 0 passed 240838
 packets logged:        input 0-112002 output 0-1041026
.........................................................................................

(That the output count never goes down is a bug with ipf -Z which I've
 just fixed).

The "0-x" is a reference to packets logged (not as part of pass/block) and
the number of times a packet log was requested but denied (no more space in
the kernel buffer).  Although I hardly expect anyone would log that many
packets, it does serve as food for thought when considering how effective
the logging is.  It might also indicate that ipmon needs to be written to
read more effectively :-)  I hate to think what sort of impact that level
of logging would have on syslogd or a console :-)

The above was on a Sparc IPX, running Solaris 2.4 with no optimisation used
when compiling.

And I just stopped the ping:
.........................................................................................
1848218 packets transmitted, 1848190 packets received, 0% packet loss
round-trip min/avg/max = 0.948/3.398/62.665 ms

Darren

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic