Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables latency evaluation
Special Forums Cybersecurity iptables latency evaluation Post 302568808 by Slaughterman on Friday 28th of October 2011 09:32:44 AM
Old 10-28-2011
iptables latency evaluation
Hello guys,

I'm actually working on my master thesis which has for subject the evaluation of virtual firewall in a cloud environment. To do so, I installed my own cloud using OpenNebula (as a frontend) and Xen (as a Node) on two different machines. The Xen machine is my virtual firewall thanks to iptables.

I am running a number of different performance tests over the xen machine to evaluate the performance of iptables. One of this test, would be the latency time introduced by the processing of the packet in iptables; and this is where I'm having troubles testing it.

Here are the different ideas I had so far, and their problems:
- ICMP Timestamp pinging. An ICMP Timestamp reply contains three timestamps: originate timestamp which is the time the sender last touched the message, receive timestamp which is the time the receiver first touched the message, and transmit timestamp which is the time the receiver last touched the message before sending it back. By subtracting the transmit timestamp by the receive timestamp, we get the processing latency of the packet. The problem is the time is in milliseconds which is no precise enough as the latency (at least when a very little number of rules are active in iptables) is lower than 1ms.
- Normal ping ran two times with the firewall on, and then off. The process time is the subtraction between this two times, divided buy 2 (because of round-trip latency) A little more precise has it is in microsecond, but still not enough (nanoseconds would be good). And I fear all this calculation adds too much approximation anyway...
- Wireshark timestamp calculation: sucks totally as wireshark capture the packets before they enter iptables
- Normal ping one time. Displaying the latency as round-trip latency. I won't get the processing latency, but I will still be able to display in a graph the effect of rules and throughput level on the overall latency of a connection going through the firewall. That's my "best" plan so far, but it sucks because it's off the original idea which is measuring the firewall latency only.

Do you guys have any comments on my ideas, or even better a solution to accurately measure firewall latency ?

Cheers,

Clement
 

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

cp command evaluation

Hi all! I'm writting one script to copy a file in various folders, but there are 2 things to validate. First that the folder where i'll be cpying exists, and second that i have permissions to copy the file in it. so far i have found the way to validate the folder exists, but when trying to... (6 Replies)
Discussion started by: feliperivera
6 Replies

2. UNIX for Advanced & Expert Users

Determining typing latency

Hi all, When I use an editor (vi) that is spawned in a remote server, visually I could see the latency between typing a character/word and being displayed on the terminal. I could see this visually but how do I get a metric on this or how to quantify this? As expected, when I type in a editor... (6 Replies)
Discussion started by: matrixmadhan
6 Replies

3. AIX

Latency Test

Hi every one, we have a set up in solaris 8 and 9 and running many cshell scripts.. we are migrate to AIX . Now, i want to know the latency difference between two boxes(Solaris and AIX). Kindly help me to , how to do Latency test.. (0 Replies)
Discussion started by: Madhu Siddula
0 Replies

4. Solaris

Latency Test

Hi every one, we have a set up in solaris 8 and 9 and running many cshell scripts.. we are migrate to AIX . Now, i want to know the latency difference between two boxes(Solaris and AIX). Kindly help me to , how to do Latency test.. (2 Replies)
Discussion started by: Madhu Siddula
2 Replies

5. Red Hat

Memory release latency issue

I have an application that routinely alloc() and realloc() gigabyte blocks of memory for image processing applications; specifically performing rotations of huge images, or creating/ deleting huge image buffers to contain multiple images. Immediately upon completion of an operation I call free() to... (9 Replies)
Discussion started by: imagtek
9 Replies

LEARN ABOUT DEBIAN

pyroman

PYROMAN(8)						      System Manager's Manual							PYROMAN(8)

NAME

       pyroman - a firewall configuration utility

SYNOPSIS

       pyroman
	      [ -hvnspP ] [ -r RULESDIR ] [ -t SECONDS ]
	      [ --help ] [ --version ] [ --safe ] [ --no-act ]
	      [ --print ] [ --print-verbose ] [ --rules=RULESDIR ]
	      [ --timeout=SECONDS ] [ safe ]

DESCRIPTION

       pyroman is a firewall configuration utility.

       It will compile a set of configuration files to iptables statements to setup IP packet filtering for you.

       While it is not necessary for operating and using Pyroman, you should have understood how IP, TCP, UDP, ICMP and the other commonly used
       Internet protocols work and interact. You should also have understood the basics of iptables in order to make use of the full
       functionality.

       pyroman does not try to hide all the iptables complexity from you, but tries to provide you with a convenient way of managing a complex
       networks firewall.  For this it offers a compact syntax to add new firewall rules, while still exposing access to add arbitrary iptables
       rules.

OPTIONS

       -r RULESDIR,--rules=RULES
	      Load the rules from directory RULESDIR instead of the default directory (usually /etc/pyroman )
       -t SECONDS,--timeout=SECONDS
	      Wait SECONDS seconds after applying the changes for the user to type OK to confirm he can still access the firewall. This implies
	      --safe but allows you to use a different timeout.
       -h, --help
	      Print a summary of the command line options and exit.
       -V, --version
	      Print the version number of pyroman and exit.
       -s, --safe, safe
	      When the firewall was committed, wait 30 seconds for the user to type OK to confirm, that he can still access the firewall (i.e. the
	      network connection wasn't blocked by the firewall).  Otherwise, the firewall changes will be undone, and the firewall will be
	      restored to the previous state.  Use the --timeout=SECONDS option to change the timeout.
       -n, --no-act
	      Don't actually run iptables. This can be used to check if pyroman accepts the configuration files.
       -p, --print
	      Instead of running iptables, output the generated rules.
       -P, --print-verbose
	      Instead of running iptables, output the generated rules. Each statement will have one comment line explaining how this rules was
	      generated. This will usually include the filename and line number, and is useful for debugging.
CONFIGURATION

       Configuration of pyroman consists of a number of files in the directory /etc/pyroman.  These files are in python syntax, although you do
       not need to be a python programmer to use these rules. There is only a small number of statements you need to know:
       add_host
	      Define a new host or network
       add_interface
	      Define a new interface (group)
       add_service
	      Add a new service alias (note that you can always use e.g. www/tcp to reference the www tcp service as defined in /etc/services)
       add_nat
	      Define a new NAT (Network Address Translation) rule
       allow  Allow a service, client, server combination
       reject Reject access for this service, client, server combination
       drop   Drop packets for this service, client, server combination
       add_rule
	      Add a rule for this service, client, server and target combination
       iptables
	      Add an arbitrary iptables statement to be executed at beginning
       iptables_end
	      Add an arbitrary iptables statement to be executed at the end
       Detailed parameters for these functions can be looked up by caling
	      cd /usr/share/pyroman
	      pydoc ./commands.py

BUGS

       None known as of pyroman-0.4 release

AUTHOR

       pyroman was written by Erich Schubert <erich@debian.org>

SEE ALSO

       iptables(8), iptables-restore(8) iptables-load(8)

																	PYROMAN(8)
All times are GMT -4. The time now is 02:25 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy