FireBall
asked on
Need an advice about kernel area
Hello ,
We are building an IDS/IPS/Waf system that reads the packets from PF_Ring and apply rules to IPTables / Netfilter / Ntuple .
That software needs to access to userspace for iptables and kernelspace for netfilter. So we already pipe the both side.
But our main concern is about the performace issue. Time is our biggest enemy and need to solve the problem in mikro / mili seconds.
So where is the best place working area for our main core of software for performance ? kernel area or user area ? and why .
Thanks for information
We are building an IDS/IPS/Waf system that reads the packets from PF_Ring and apply rules to IPTables / Netfilter / Ntuple .
That software needs to access to userspace for iptables and kernelspace for netfilter. So we already pipe the both side.
But our main concern is about the performace issue. Time is our biggest enemy and need to solve the problem in mikro / mili seconds.
So where is the best place working area for our main core of software for performance ? kernel area or user area ? and why .
Thanks for information
ASKER
IP tables has some issues when it is under huge traffic load for ex. a test result as given below on net_recv
iptables -I INPUT -s xx.xx.xx.xx -j DROP applied only -> this is dropping the traffic and the first test with this rule has been made it is ok
i have add an other rule with A defination to be second rule after blocking
iptables -I INPUT -p tcp -j ACCEPT
and the given result below. if i add some rules other after blocking the traffic it makes latency issue more , i think iptables has keeping usage on mem or other some place so when i apply more rules that after the traffic cleaned it steel keeping get huger latency
iptables -I INPUT -s xx.xx.xx.xx -j DROP applied only -> this is dropping the traffic and the first test with this rule has been made it is ok
i have add an other rule with A defination to be second rule after blocking
iptables -I INPUT -p tcp -j ACCEPT
and the given result below. if i add some rules other after blocking the traffic it makes latency issue more , i think iptables has keeping usage on mem or other some place so when i apply more rules that after the traffic cleaned it steel keeping get huger latency
[root@centos7 staps]# sh receive.sh
Pass 1: parsed user script and 120 library scripts using 227452virt/40492res/3256shr/37432data kb, in 430usr/20sys/458real ms.
Pass 2: analyzed script: 4 probes, 3 functions, 4 embeds, 3 globals using 265312virt/79368res/4452shr/75292data kb, in 720usr/200sys/922real ms.
Pass 3: using cached /root/.systemtap/cache/71/stap_71b15524ce81fbb06b5374bfceef9648_4311.c
Pass 4: using cached /root/.systemtap/cache/71/stap_71b15524ce81fbb06b5374bfceef9648_4311.ko
Pass 5: starting run.
Duration min:0us avg:3us max:168us count:2866019
Duration (us):
value |-------------------------------------------------- count
0 | 32167
1 | 9999
2 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 1723569
4 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 973472
8 |@@@ 111055
16 | 14777
32 | 376
64 | 585
128 | 19
256 | 0
512 | 0
Pass 5: run completed in 0usr/50sys/30580real ms.
[root@centos7 staps]# sh receive.sh
Pass 1: parsed user script and 120 library scripts using 227460virt/40492res/3256shr/37440data kb, in 460usr/60sys/522real ms.
Pass 2: analyzed script: 4 probes, 3 functions, 4 embeds, 3 globals using 265320virt/79372res/4452shr/75300data kb, in 1000usr/300sys/1299real ms.
Pass 3: using cached /root/.systemtap/cache/71/stap_71b15524ce81fbb06b5374bfceef9648_4311.c
Pass 4: using cached /root/.systemtap/cache/71/stap_71b15524ce81fbb06b5374bfceef9648_4311.ko
Pass 5: starting run.
Duration min:0us avg:46us max:172119us count:2288864
Duration (us):
value |-------------------------------------------------- count
0 |@ 39677
1 | 7751
2 | 1599
4 | 320
8 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 1853507
16 |@@@@@@@@@ 342500
32 | 34038
64 | 751
128 | 158
256 | 286
512 | 6175
1024 | 1348
2048 | 0
4096 | 1
8192 | 0
16384 | 4
32768 | 56
65536 | 680
131072 | 13
262144 | 0
524288 | 0
please remove freebsd from the topics : this is clearly linux-specific.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
So you get speed + no worries about memory management or pointer boundaries. Debugging kernel code requires tremendous time.
https://netfilter.org/ provides details.
https://wiki.nftables.org/
Keep in mind stable nftables requires a very recent OS.
If your product has to run on many different OS versions, then best stick with iptables.
Also, if you have rules which apply to many IPS, then using ipset will greatly speed up your product's performance.