openwrt/target/linux
Felix Fietkau 5fcafa319d generic: Fix per interface nf_call_iptables setting
commit r30917 ("kernel: bypass all netfilter hooks if the sysctls for that
functionality have been disabled - eliminates the overhead of enabling
CONFIG_BRIDGE_NETFILTER in the kernel config") introduced an optimization
which should reduce/eliminate the overhead for traffic send over bridges on
kernels compiled with CONFIG_BRIDGE_NETFILTER=y. But this optimization
breaks the nf_call_iptables per bridge setting which is more fine grained
than the global sysctl net.bridge.bridge-nf-call-iptables setting.

A test reflecting a real world setup was created to identify if this really
eliminates the overhead and if per-bridge nf_call_iptables could be used in
some setups to increase the throughput. A Qualcomm Atheros QCA9558 based
system with one ethernet and an ath9k wifi 3x3 in HT40 mode was used.
Cables from the AP to the wifi station were used to reduce interference
problems during the tests.

The wlan interface was put in one bridge interface called br-wlan. This
bridge usually contains some more wlan interfaces. The eth0 was put in a
second bridge called br-lan. This usually contains some other privileged
wlan or mesh interfaces. Routing was added between br-lan and br-wlan.

Three kernels were tested:

 * (default) OpenWrt kernel for this device
 * (brfilter-global) OpenWrt kernel with CONFIG_BRIDGE_NETFILTER=y
 * (brfilter-local)  OpenWrt kernel with CONFIG_BRIDGE_NETFILTER=y and
    without 644-bridge_optimize_netfilter_hooks.patch

The changes to the the netfilter settings of the bridge were done via:

 * (brfilter-global) /sbin/sysctl -w net.bridge.bridge-nf-call-iptables=1
 * (brfilter-lobal) echo 1 > /sys/class/net/br-lan/bridge/nf_call_iptables
   and/or echo 1 > /sys/class/net/br-wan/bridge/nf_call_iptables

A station connected to the wlan0 (AP) interface was used to send traffic to
a PC connected via ethernet. iperf with 3 concurrent transmissions was used
to generate the traffic.

| kernel          | br-nf-* global | nf-call* iface | download | upload   |
|-----------------|----------------|----------------|----------|----------|
| default         | 0              | -              |      209 |      268 |
| brfilter-global | 0              | -              |      185 |      243 |
| brfilter-local  | 0              | -              |      187 |      243 |
| brfilter-local  | 0              | br-lan         |      157 |      226 |
| brfilter-local  | 0              | br-lan br-wlan |      139 |      161 |
| brfilter-global | 1              | -              |      136 |      162 |

Download/upload results in Mibit/s

It can be seen that the patch doesn't eliminate the overhead. It can also
be seen that the throughput of brfilter-global and brfilter-local with
disabled filtering is the roughly the same. Also the throughput for
brfilter-global and brfilter-local for enabled filtering on all bridges is
roughly the same.

But also the brfilter-local throughput is higher when only br-lan requires
the filtering. This setting would not be possible with
644-bridge_optimize_netfilter_hooks.patch applied and thus can only be
compared with brfilter-global and filtering enabled for all interfaces.

Signed-off-by: Sven Eckelmann <sven@open-mesh.com>

SVN-Revision: 46835
2015-09-09 18:40:15 +00:00
..
adm5120 adm5120: disable the openwrt commandline hack 2015-08-30 12:17:54 +00:00
adm8668 build: Prevent more gzip timestamps 2015-07-14 09:57:45 +00:00
ar7 ar7: fix HIGHMEM_START (#20427) 2015-09-02 16:22:44 +00:00
ar71xx image: move netgear-image to top and rename to -dni 2015-09-04 14:45:09 +00:00
arm64 arm64: use common image prefix 2015-05-27 14:57:38 +00:00
at91 at91: fix usb rate backport patch tab mangle 2015-08-17 16:10:49 +00:00
ath25 ath25: disable the openwrt commandline hack 2015-08-30 12:17:56 +00:00
au1000 image: fix jffs2(_nand) image generation 2015-08-05 13:55:52 +00:00
bcm53xx bcm53xx: support sysupgrade with Netgear R7000 original firmware 2015-08-26 15:21:14 +00:00
brcm47xx brcm47xx: apply serial flash size trick to Netgear WNR1000 V3 2015-09-08 05:24:57 +00:00
brcm63xx kernel: update 3.18 to 3.18.21 2015-09-02 10:18:15 +00:00
brcm2708 kernel: update 3.18 to 3.18.21 2015-09-02 10:18:15 +00:00
cns3xxx kernel: update 3.18 to 3.18.21 2015-09-02 10:18:15 +00:00
gemini kernel: refresh patches for 4.1 2015-07-22 12:51:11 +00:00
generic generic: Fix per interface nf_call_iptables setting 2015-09-09 18:40:15 +00:00
imx6 kernel: update 3.18 to 3.18.14 2015-05-21 19:32:46 +00:00
ipq806x ipq806x: add support for Netgear Nighthawk X4 R7500 2015-09-04 14:46:06 +00:00
ixp4xx kernel: update 4.1 to 4.1.5 2015-08-14 13:06:33 +00:00
kirkwood kirkwood: add wpad-mini to router profiles 2015-08-05 13:56:02 +00:00
lantiq kernel: update 3.18 to 3.18.21 2015-09-02 10:18:15 +00:00
malta malta: disable the openwrt commandline hack 2015-08-30 12:18:05 +00:00
mcs814x mcs814x: use firmware partition splitter on dLAN USB Extender 2015-08-17 06:16:19 +00:00
mpc85xx mpc85xx: Enable RFKill and USB Power GPIO Control for WDR4900v1 2015-07-09 06:56:45 +00:00
mvebu This had been set in r44508 as a workaround for switch problems. 2015-08-21 08:10:48 +00:00
mxs kernel: update 4.1 to 4.1.4 2015-08-05 13:55:14 +00:00
netlogic netlogic: copy initramfs image to $(BIN_DIR) 2015-04-23 22:31:36 +00:00
octeon octeon: fix imagebuilder 2015-05-29 11:28:20 +00:00
omap kernel: remove packaging of kmod-crypto-core and kmod-crypto-arc4 2015-09-08 12:31:04 +00:00
omap24xx omap24xx: Add basic config for linux-4.0 2015-03-19 18:45:32 +00:00
orion kernel: remove packaging of kmod-crypto-core and kmod-crypto-arc4 2015-09-08 12:31:04 +00:00
oxnas kernel: update 4.1 to 4.1.6 2015-08-23 18:06:11 +00:00
ppc40x ppc40x: upgrade to 3.18 2015-04-12 20:48:13 +00:00
ppc44x image: fix jffs2(_nand) image generation 2015-08-05 13:55:52 +00:00
pxa kernel: disable ARCH_NEEDS_CPU_IDLE_COUPLED 2015-03-06 07:56:34 +00:00
ramips kernel: update 3.18 to 3.18.21 2015-09-02 10:18:15 +00:00
rb532 kernel: update 3.18 to 3.18.14 2015-05-21 19:32:46 +00:00
realview realview: use common image prefix 2015-05-27 15:34:38 +00:00
sunxi kernel: remove packaging of kmod-crypto-core and kmod-crypto-arc4 2015-09-08 12:31:04 +00:00
uml uml: remove linux 3.14 support 2015-03-28 13:20:52 +00:00
x86 kernel: remove kmod-crypto-aes, AES crypto support is always built into the kernel 2015-07-24 15:36:08 +00:00
xburst image: fix jffs2(_nand) image generation 2015-08-05 13:55:52 +00:00
Makefile