Software router state of the art

Rubens Kuhl Jr. rubensk at
Mon Jul 28 20:00:35 UTC 2008

>> It keeps track of Src/Dst/QoS/Ethernet adapters/etc.. Additionally most
>> systems have the iptables modules loaded in kernel and the conntrack
>> module in kernel. This immediately activates connection tracking,
>> therefore considerably slowing down software routing. The most optimal
>> way of speeding this up would be sticking the route cache into somewhat
>> faster memory. Though it would be fairly nice to get rid of the route
>> cache as that can cause problem with eccentric setups. Also, as cache
>> entries take a moment to be deleted, or degrade leading to convergence
>> times being higher.
> Note .. to .. self ..  Linux .. makes .. crappy .. router.  Got it.
> Guess we'll continue to use FreeBSD, and the lesson to come away with
> is that it probably pays to avoid technologies that are suboptimal
> for the task at hand.  Not everything is created equal.  It also pays
> to tune things.  If "conntrack" hurts, then remove it.

You can use Linux without conntrack. You can either do "rmmod
ip_conntrack" (unload the module), rm /var/lib/modules/ip_conntrack
(or something like that to erase the file) or use the RAW queue to
forward some packets without connection tracking (-j NOTRACK) and some
others with conntrack (proxy redirection, captive portal and thinks
like that requires stateful forwarding in any platform).

I would be more worried about the prefix match and route cache done by
the operating system you are considering for use as a router. That
cannot be circunverted by turning off conntrack, pf or anything that
might do more with the packet that plain simple routing.


More information about the NANOG mailing list