Hi Jo, On 27.05.2016 10:33, Jo-Philipp Wich wrote: > > with enabled by default you mean that is is getting build and > installable with opkg?
Yes. > If a kmod is specifically disabled by default settings then it usually > has a performance penalty attached with it, even when not loaded. > > I'd be grateful if someone could do some iperf throughput testing with > and without kmod-ipt-debug built/enabled/loaded and see if it makes any > difference at all. I did look at the code, and AFAICS the only code path affected by compiling but not loading xt_TRACE is: net/ipv[46]/netfilter/ip_tables.c:ipt_do_table() The following code is run for each packet once for each firewall rule if (unlikely(skb->nf_trace)) ... This is a single access to a bit in a bitfield of the skb, i.e. read+mask and a not-taken branch marked as unlikely. Depending on CPU architecture (i.e. cost of an unlikely branch not taken), the performance impact should be minimal given that the skb has been accessed directly before and it should be already in the CPU cache. OTOH, using (instead of just compiling) xt_TRACE is going to have a noticeable performance impact. If someone wants to perform iperf testing, the key to making the impact of the additional code path measurable is to have a few hundred iptables rules matching the iperf traffic. That way, the additional code path gets maximum impact. Regards, Carl-Daniel _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
