Re: Software router state of the art

["Rubens Kuhl Jr." <rubensk () gmail com>]

> > It keeps track of Src/Dst/QoS/Ethernet adapters/etc.. Additionally most
> > systems have the iptables modules loaded in kernel and the conntrack
> > module in kernel. This immediately activates connection tracking,
> > therefore considerably slowing down software routing. The most optimal
> > way of speeding this up would be sticking the route cache into somewhat
> > faster memory. Though it would be fairly nice to get rid of the route
> > cache as that can cause problem with eccentric setups. Also, as cache
> > entries take a moment to be deleted, or degrade leading to convergence
> > times being higher.
>
> Note .. to .. self ..  Linux .. makes .. crappy .. router.  Got it.
>
> Guess we'll continue to use FreeBSD, and the lesson to come away with
> is that it probably pays to avoid technologies that are suboptimal
> for the task at hand.  Not everything is created equal.  It also pays
> to tune things.  If "conntrack" hurts, then remove it.

You can use Linux without conntrack. You can either do "rmmod
ip_conntrack" (unload the module), rm /var/lib/modules/ip_conntrack
(or something like that to erase the file) or use the RAW queue to
forward some packets without connection tracking (-j NOTRACK) and some
others with conntrack (proxy redirection, captive portal and thinks
like that requires stateful forwarding in any platform).

I would be more worried about the prefix match and route cache done by
the operating system you are considering for use as a router. That
cannot be circunverted by turning off conntrack, pf or anything that
might do more with the packet that plain simple routing.


Rubens