On 6/24/24 10:09, Eric Garver wrote:
On Fri, Jun 21, 2024 at 04:17:01PM -0600, R C wrote:
On 6/21/24 12:52, Eric Garver wrote:
On Fri, Jun 21, 2024 at 11:11:15AM -0600, R C wrote:
On 6/20/24 08:45, Eric Garver wrote:
On Mon, Jun 17, 2024 at 11:58:49AM -0600, R C wrote:
Hello,
I was wondering, in high performance environments (high compute loads, high bandwith loads(IB)), is it a concern to run a firewall for network performance reasons? Also, with high compute loads, I heard/read a rumor that a firewall might actually cap traffic?
The actual packet processing uses nftables in the kernel. Established connections are short circuited and thus skip most of the rule set. In other words, it's as fast as rolling your own nftables rule set.
Forwarded traffic can also be accelerated via flowtable. This should offer line rate forwarding.
https://firewalld.org/2023/05/nftables-flowtable
I am wondering, if there are some known metrics, or examples so one could create some rough estimates of possible performance loss?
I'm not exactly sure what you're asking for.
To benchmark your network you could use tools like iperf3 or netperf.
I used iperf3, and when not under load, cpu nor bandwidth, it shows a 10% bandwidth loss (over IB)
I was just wondering if one could roughly calculate/estimate the (theoretical) performance loss
I'm not sure what two things you're comparing.
Bandwidth on anIB connection, firewall vs no firewall.
At any rate, I would expect it to vary widely depending CPU, memory, etc.