[106429] in North American Network Operators' Group
Re: Software router state of the art
daemon@ATHENA.MIT.EDU (Rubens Kuhl Jr.)
Mon Jul 28 16:00:59 2008
Date: Mon, 28 Jul 2008 17:00:35 -0300
From: "Rubens Kuhl Jr." <rubensk@gmail.com>
To: "Joe Greco" <jgreco@ns.sol.net>
In-Reply-To: <200807281607.m6SG7k5d098053@aurora.sol.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
>> It keeps track of Src/Dst/QoS/Ethernet adapters/etc.. Additionally most
>> systems have the iptables modules loaded in kernel and the conntrack
>> module in kernel. This immediately activates connection tracking,
>> therefore considerably slowing down software routing. The most optimal
>> way of speeding this up would be sticking the route cache into somewhat
>> faster memory. Though it would be fairly nice to get rid of the route
>> cache as that can cause problem with eccentric setups. Also, as cache
>> entries take a moment to be deleted, or degrade leading to convergence
>> times being higher.
>
> Note .. to .. self .. Linux .. makes .. crappy .. router. Got it.
>
> Guess we'll continue to use FreeBSD, and the lesson to come away with
> is that it probably pays to avoid technologies that are suboptimal
> for the task at hand. Not everything is created equal. It also pays
> to tune things. If "conntrack" hurts, then remove it.
You can use Linux without conntrack. You can either do "rmmod
ip_conntrack" (unload the module), rm /var/lib/modules/ip_conntrack
(or something like that to erase the file) or use the RAW queue to
forward some packets without connection tracking (-j NOTRACK) and some
others with conntrack (proxy redirection, captive portal and thinks
like that requires stateful forwarding in any platform).
I would be more worried about the prefix match and route cache done by
the operating system you are considering for use as a router. That
cannot be circunverted by turning off conntrack, pf or anything that
might do more with the packet that plain simple routing.
Rubens
