IPTables Mangle Table Slows Down Connection when Uploading Large Files

jkockler
jkockler used Ask the Experts™
on
Greetings,

I am using Linux as a router, IPTables / Netfilter.

I have run into a problem with the MANGLE table rules slowing down the internet connection to a crawl when uploading files with various cloud based backup software. If I remove the Mangle table rules, the problem resolves. With the MANGLE rules in place and while uploading files, my ping times to google for example, are consistently above 500ms. If I remove the MANGLE rules, ping times are normal 14ms - 50ms.

The purpose of my mangle rules are to prioritize SIP and RTP traffic for VoIP, and then all else to the default queue.

Here are my mangle table rules:

-A PREROUTING -p udp -m udp --dport 10000:21099 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p udp -m udp --dport 10000:21099 -j RETURN
-A PREROUTING -p udp -m udp --dport 5060:5099 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p udp -m udp --dport 5060:5099 -j RETURN
-A PREROUTING -j MARK --set-xmark 0x2/0xffffffff
-A PREROUTING -j RETURN


Any ideas on how I can speed up the packets through the mangle table?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Software Developer
Commented:
I think the dport ranges are the trouble. I believe I recall reading that it checks for each port in the range individually. (To verify this, try removing only the first 2 rules (with the big port ranges)).
If I'm right, you should get a major improvement by converting to use nftables. nftables uses the same filter framework as iptables but with a much improved packet classification method (modelled after that used by tcpdump).
The syntax of nftables is all new. I've been meaning to learn it since it came out - your question has piqued my interest again.

Author

Commented:
Thank you. That actually makes sense about the port ranges. I can definitely trim that down if it ends up being the fix. I will let you know how it goes.
Duncan RoeSoftware Developer
Commented:
A couple of alternatives to converting to nftables
- Use the u32 target: this allows arithmetic comparisons as described in man iptables-extensions
- Use IP sets. See man ipset, also the set extension in man iptables-extensions
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Interesting! Thank you for that. I will look into that as well.

I can report that dialing back the amount of ports in the mangle table definitely improved the situation. It's certainly not perfect, but the network is at least usable when the uploads are taking place. Ping times have dropped from spiking to 1,000ms to google, to about 100-300ms spikes.
nociSoftware Engineer
Distinguished Expert 2018
Commented:
Another improvement...
first mark all packets with mark 2.

Then select the ones for mark 1 and mark those. That saves on the returns....
(and checks on ports for those returns).
Duncan RoeSoftware Developer

Commented:
The author has acknowledged that the problem is identified and explained. However he has not posted a progress update for some time. Assume he will get there.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial