[H-GEN] Improving UDP performance on firewall?

[David Harrison]

First up, thanks for the in-depth response! A quick response from me to 
some of the points while I digest the others;

> The next thing I'd confirm is that your interfaces are indeed running
> in a full duplex mode. Check the switch, or alternately use mii-tool
> to check that.

mii-tool reports they're full duplex.

> You don't mention the volume of packets, and the actual data rates
> you're seeing. Given who you work for, I'm thinking that you'd have a
> high packet per second rate, and not that much actual throughput (with
> respect to the number of packets)

According to softnet_stats, approx 100k packets/second. The throughput 
at this point is around 50-60mbit/s.

> As for pinging as a performance measure, I wouldn't put too much stock
> in it. If your firewalling rule set has any ICMP rate limiting in it,
> that could be messing with any stats you obtain. I'd be more inclinded
> to use a UDP pinging test. Search for a tool called uplog using Google
> or freshmeat.net. ICMP also is not guaranteed delivery, and chances
> are your router will drop it in preference for other packets.

I'm not too concerned with the ICMP pings, but I'm using them for 
reference at the moment because the result they're giving are roughly 
analagous to the results that I'm seeing with the in-game pings (which 
are UDP). They're not equal but so far they've proven to be at least a 
decent indicator.

> Failing that, check the order of your firewall ruleset.

We actually disabled the bulk of the rules last night to see if this 
made any difference, hoping that we could optimise the ruleset a bit - 
but even when it wasn't processing any rules it was still suffering from 
the problem.

Thanks again for the thorough response; I'll definitely be looking at 
some of the options you've suggested and will see how they work out.

-- dave