commit r30917 ("kernel: bypass all netfilter hooks if the sysctls for that
functionality have been disabled - eliminates the overhead of enabling
CONFIG_BRIDGE_NETFILTER in the kernel config") introduced an optimization
which should reduce/eliminate the overhead for traffic send over bridges on
kernels compiled with CONFIG_BRIDGE_NETFILTER=y. But this optimization
breaks the nf_call_iptables per bridge setting which is more fine grained
than the global sysctl net.bridge.bridge-nf-call-iptables setting.
A test reflecting a real world setup was created to identify if this really
eliminates the overhead and if per-bridge nf_call_iptables could be used in
some setups to increase the throughput. A Qualcomm Atheros QCA9558 based
system with one ethernet and an ath9k wifi 3x3 in HT40 mode was used.
Cables from the AP to the wifi station were used to reduce interference
problems during the tests.
The wlan interface was put in one bridge interface called br-wlan. This
bridge usually contains some more wlan interfaces. The eth0 was put in a
second bridge called br-lan. This usually contains some other privileged
wlan or mesh interfaces. Routing was added between br-lan and br-wlan.
Three kernels were tested:
* (default) OpenWrt kernel for this device
* (brfilter-global) OpenWrt kernel with CONFIG_BRIDGE_NETFILTER=y
* (brfilter-local) OpenWrt kernel with CONFIG_BRIDGE_NETFILTER=y and
without 644-bridge_optimize_netfilter_hooks.patch
The changes to the the netfilter settings of the bridge were done via:
* (brfilter-global) /sbin/sysctl -w net.bridge.bridge-nf-call-iptables=1
* (brfilter-lobal) echo 1 > /sys/class/net/br-lan/bridge/nf_call_iptables
and/or echo 1 > /sys/class/net/br-wan/bridge/nf_call_iptables
A station connected to the wlan0 (AP) interface was used to send traffic to
a PC connected via ethernet. iperf with 3 concurrent transmissions was used
to generate the traffic.
| kernel | br-nf-* global | nf-call* iface | download | upload |
|-----------------|----------------|----------------|----------|----------|
| default | 0 | - | 209 | 268 |
| brfilter-global | 0 | - | 185 | 243 |
| brfilter-local | 0 | - | 187 | 243 |
| brfilter-local | 0 | br-lan | 157 | 226 |
| brfilter-local | 0 | br-lan br-wlan | 139 | 161 |
| brfilter-global | 1 | - | 136 | 162 |
Download/upload results in Mibit/s
It can be seen that the patch doesn't eliminate the overhead. It can also
be seen that the throughput of brfilter-global and brfilter-local with
disabled filtering is the roughly the same. Also the throughput for
brfilter-global and brfilter-local for enabled filtering on all bridges is
roughly the same.
But also the brfilter-local throughput is higher when only br-lan requires
the filtering. This setting would not be possible with
644-bridge_optimize_netfilter_hooks.patch applied and thus can only be
compared with brfilter-global and filtering enabled for all interfaces.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 46835
added: ip addr, ip route, ip link, traceroute6
removed: hostid, devmem, vconfig, arping
deprecated (to be removed): ifconfig, route
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46829
It was corrupted in r38528. The most obvious symptom is repeated messages like this:
Tue Sep 8 08:25:18 2015 kern.warn kernel: [77141.972226] br-lan: received packet on wlan0 with own address as source address
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 46821
Everything except for blkcipher was already built-in, so make blkcipher
built-in as well.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46820
While technically required by the RFC, they are usually completely
unused (DSA), or have security issues (3DES, CBC)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46814
This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46809
* ra: don't announce as default router if we aren't (regression)
* ra: reduce maximum announced dns lifetimes due to buggy clients
* dhcpv6: fix mac-based lease-matching
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46802
When a package links to a shared library that depends on libiconv or
libintl shared libraries, specifying directory pathes to them via -L
switches is not enough, see "man 1 ld" -rpath-link description.
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
SVN-Revision: 46801
Add support for the Netgear Nighthawk X4 R7500 and build
appropariate sysupgrade and factory images.
Known issues:
* 5 GHz wifi not working - there is no quantenna driver
* One of the USB ports is not working
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46796
To use gpio leds as ide leds, we need to enable the trigger to be
included in the kernel.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46795
The KERNEL_SIZE should be the maximum size, inclusive, so we need to
check for greater equal, not just greater.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46792
Add full ubi and sysupgrade images for AP148 and add sysupgrade support
for ipq806x to allow updating the current installation.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46789