Building iptable_filter as module

Monday, 5 November 2018

Fedora builds the kernel with CONFIG_IP_NF_IPTABLES=y.
This is known to have a measurable performance impact even when there
are no firewall rules.

This is a series of 10 tests made with a Fedora 4.19.0-1.fc30 kernel
built with ip_tables as module, thousands of packets per second on an
8 core machine:

       no module   ip_filter loaded
run 1      8.484       8.027
run 2      8.466       8.042
run 3      8.446       8.176
run 4      8.313       7.900
run 5      8.457       8.165
run 6      8.459       8.202
run 7      8.403       7.978
run 8      8.487       7.991
run 9      8.567       8.124
run 10     8.244       7.966
----------------------------
average    8.433       8.057
stdev         92         103
%                      -4,66%

Building iptable_filter as module should not have any disadvantage
because it's loaded on first iptables call, and dracut can be
instructed to put it in the initramfs if needed.
This is what happens on Fedora 29 (obviously with firewalld disabled on boot):

# lsmod |grep iptable
# iptables -A INPUT -i lo -j ACCEPT
# lsmod |grep iptable
iptable_filter         16384  1
ip_tables              28672  1 iptable_filter
x_tables               45056  2 iptable_filter,ip_tables

Regards,
-- 
Matteo Croce
per aspera ad upstream

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Building iptable_filter as module