当 iptables 运行时,10GbE 上的吞吐量会变慢,但我不知道原因。
Gentoo Linux 内核 6.6.21
CPU:Intel Xeon E5-1650v4
~#@❯ iperf3 -c 192.168.0.12
Connecting to host 192.168.0.12, port 5201
[ 5] local 192.168.0.11 port 57756 connected to 192.168.0.12 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 180 MBytes 1.51 Gbits/sec 0 426 KBytes
[ 5] 1.00-2.00 sec 180 MBytes 1.51 Gbits/sec 0 426 KBytes
[ 5] 2.00-3.00 sec 180 MBytes 1.51 Gbits/sec 0 426 KBytes
[ 5] 3.00-4.00 sec 181 MBytes 1.52 Gbits/sec 0 426 KBytes
[ 5] 4.00-5.00 sec 182 MBytes 1.53 Gbits/sec 0 426 KBytes
[ 5] 5.00-6.00 sec 184 MBytes 1.55 Gbits/sec 0 426 KBytes
[ 5] 6.00-7.00 sec 180 MBytes 1.51 Gbits/sec 0 426 KBytes
[ 5] 7.00-8.00 sec 180 MBytes 1.51 Gbits/sec 0 426 KBytes
[ 5] 8.00-9.00 sec 180 MBytes 1.51 Gbits/sec 0 426 KBytes
[ 5] 9.00-10.00 sec 179 MBytes 1.50 Gbits/sec 0 426 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 1.77 GBytes 1.52 Gbits/sec 0 sender
[ 5] 0.00-10.00 sec 1.76 GBytes 1.51 Gbits/sec receiver
iperf Done.
~#@❯ /etc/init.d/iptables stop
* Stopping Vuurmuur ... [ ok ]
* Stopping Vuurmuur Log ... [ ok ]
* Saving iptables state ... [ ok ]
* Stopping firewall ... [ ok ]
~#@❯ iperf3 -c 192.168.0.12
Connecting to host 192.168.0.12, port 5201
[ 5] local 192.168.0.11 port 41346 connected to 192.168.0.12 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.09 GBytes 9.38 Gbits/sec 0 427 KBytes
[ 5] 1.00-2.00 sec 1.09 GBytes 9.37 Gbits/sec 0 427 KBytes
[ 5] 2.00-3.00 sec 1.09 GBytes 9.38 Gbits/sec 0 427 KBytes
[ 5] 3.00-4.00 sec 1.09 GBytes 9.37 Gbits/sec 0 427 KBytes
[ 5] 4.00-5.00 sec 1.09 GBytes 9.38 Gbits/sec 0 427 KBytes
[ 5] 5.00-6.00 sec 1.09 GBytes 9.38 Gbits/sec 0 427 KBytes
[ 5] 6.00-7.00 sec 1.09 GBytes 9.37 Gbits/sec 0 427 KBytes
[ 5] 7.00-8.00 sec 1.09 GBytes 9.38 Gbits/sec 0 427 KBytes
[ 5] 8.00-9.00 sec 1.09 GBytes 9.38 Gbits/sec 0 427 KBytes
[ 5] 9.00-10.00 sec 1.09 GBytes 9.38 Gbits/sec 0 427 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 10.9 GBytes 9.38 Gbits/sec 0 sender
[ 5] 0.00-10.00 sec 2.00 GBytes 1.72 Gbits/sec receiver
iperf Done.
iptables 脚本:
export LAN=lan0
export WAN=wan
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/16 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
答案1
我修复了这个问题,在规则文件 /var/lib/iptables/rules-save 中,tun0 的原始表规则重复了数千次,不知道为什么,但这最终导致了速度变慢。
同样奇怪的是为什么 iptables -F 没有清除它以及为什么在执行 -L 或 -S 时它没有出现。