Re: enabling ip_forward, slow my network rate

[Manuel Mely <mmelyp@gmail.com>]

Paolo wrote:
> On Thu, May 29, 2008 at 03:56:00PM -0400, Manuel Mely wrote:
>   
> > Hi,
> >
> > After some years using iptables as a firewall, i never have seen this. 
> > If i enable ip_forward, my download rate is ~865Kbits (on a 100Mbit 
> >     
>
> kernel version?
> %iptables version? (likely not crucial, but ...)
> % iptables-save ?
> anything in logs / dmesg?
> %ifconfig eth0 shows differences between such config cases?
> %lsmod in both cases? (assuming you have all netfilter's stuf as modules) 
>
> This reminds me of an old netfilter (heisen)bug, but that was ~2.4.28..30 era.
>
>
>   

Sorry i forgot this data. I'm running Debian Etch.

#lsmod
...
iptable_nat             7812  1
ip_nat                 17740  1 iptable_nat
ip_conntrack           49856  3 xt_state,iptable_nat,ip_nat
iptable_mangle          3648  0
iptable_filter          3872  1
ip_tables              13892  3 iptable_nat,iptable_mangle,iptable_filter
x_tables               14084  6 
xt_mac,xt_limit,xt_tcpudp,xt_state,iptable_nat,ip_tables

arcotest:/tmp# dmesg |grep ip_connt
ip_conntrack version 2.4 (4160 buckets, 33280 max) - 224 bytes per conntrack

arcotest:/tmp# dpkg -l |grep iptables
ii  iptables               1.3.6.0debian1-5                     
administration tools for packet filtering an

I'm not running any firewall rule. The default policies are this:

Chain INPUT (policy ACCEPT 13 packets, 916 bytes)
pkts bytes target     prot opt in     out     source               
destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               
destination        

Chain OUTPUT (policy ACCEPT 8 packets, 896 bytes)
pkts bytes target     prot opt in     out     source               
destination 


ifconfig eth0 reports (with ip_forward disabled):

eth0      Link encap:Ethernet  HWaddr 00:16:3E:00:00:12 
         inet addr:172.18.145.10  Bcast:172.18.145.15  Mask:255.255.255.240
         inet6 addr: fe80::216:3eff:fe00:12/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:26958 errors:0 dropped:0 overruns:0 frame:0
         TX packets:12457 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:30744328 (29.3 MiB)  TX bytes:960367 (937.8 KiB)


With ip_forward enabled:


eth0      Link encap:Ethernet  HWaddr 00:16:3E:00:00:12 
         inet addr:172.18.145.10  Bcast:172.18.145.15  Mask:255.255.255.240
         inet6 addr: fe80::216:3eff:fe00:12/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:62979 errors:0 dropped:0 overruns:0 frame:0
         TX packets:31127 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:84539182 (80.6 MiB)  TX bytes:2208905 (2.1 MiB)


As you can see there's some difference in TX bytes.