Speedup iptables with connmark!


Hello! Yesterday i worked hard, and optimize iptables with mangle table, ipset and iproute.
We want mark addresses (located in ipset) which should routed to another host, and another packets via another gateway.
Thats rules give us minimal resourses to serve only online clients (dynamicaly walked in NAT server, not statical created in iproute2 – how it worked before).
Lets start.

IPtables Pay attention in –set-xmark –> this we will use in ip rule fwmark
*mangle
:PREROUTING ACCEPT [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -m set --match-set realips src -j MARK --set-xmark 0x26/0xffffffff
-A PREROUTING -m state --state NEW -m set --match-set realips src -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT

iproute2
ip ro add default via x.x.x.x table 38
ip ru add fwmark 38 table 38

Testing Platform
Double X5650 (w/o HT), Intel x520 SFP+ 10Gbps network card with ixgbe driver and kernel 3.9.5

Statistic
Conntrack: 1.2M
Speed: IN 5.84Gbps, OUT 1.95Gbps (7.8Gbps in both directions)
CPU: 6% idle

Old Statistic (with permanently added ~500 ips in ip rule routing)
Conntrack: 381K
Speed: IN 1.95Gbps, OUT 730Mbps (2.7Gbps in both directions)
CPU: 57% idle

Leave a Reply