how to compare throughput performance between proxy device vs iptables rules for forwarding lxd container traffic

  • install and run iperf server in a container
sudo apt install iperf
iperf -s -p 10000 -P 4

  • add iptables forwarding rules in host
vi ~/scripts/portForwarding4lxd.sh
chmod 755 ~/scripts/portForwarding4lxd.sh
~/scripts/portForwarding4lxd.sh kdrive 10000 10000
cat portForwarding4lxd.sh
#!/bin/bash
#

if [ $# != 3 ]; then
        echo "Usage: $0 containerName srcPort dstPort"
        echo "Example: $0 kdrive 8000 8000"
        echo "Example: $0 kdrive 8082 8082"
        exit 1
fi

hostdev=eth0
hostIP=$(/sbin/ip -o -4 addr list $hostdev | awk '{print $4}' | cut -d/ -f1)
cName=$1
srcPort=$2
dstPort=$3

lxdIP=$(lxc list |grep -w $cName | awk '{print $6}')
if [ -z $lxdIP ]; then
        echo "Error: no such container, named $cName"
        exit 1
fi
lxdSubnet=${lxdIP%.*}.0/24

sudo iptables -t nat -A PREROUTING -d $hostIP -p tcp --dport $srcPort -j DNAT --to-destination $lxdIP:$dstPort
sudo iptables -I FORWARD -m state -d $lxdSubnet --state NEW,RELATED,ESTABLISHED -j ACCEPT

  • send traffic to iperf server inside a container from a client device
iperf -c kdrive.kairoson.org -p 10000
# test result
mslee@kairoson:~$ iperf -c kdrive.kairoson.org -p 10000
------------------------------------------------------------
Client connecting to kdrive.kairoson.org, TCP port 10000
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.0.2 port 48646 connected with 119.203.68.69 port 10000
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  1.09 GBytes   933 Mbits/sec

  • configure lxd proxy device for port forwarding
lxc config device add kdrive myport20000 proxy \
                            listen=tcp:0.0.0.0:20000 connect=tcp:127.0.0.1:20000

how to use the LXD Proxy Device to map ports between the host and the containers
https://blog.simos.info/how-to-use-the-lxd-proxy-device-to-map-ports-between-the-host-and-the-containers/


  • run iperf server in the same container
iperf -s -p 20000 -P 4

  • send traffic to iperf server inside the container from a client deivce
iperf -c kdrive.kairoson.org -p 20000
# test result
mslee@kairoson:~$ iperf -c kdrive.kairoson.org -p 20000
------------------------------------------------------------
Client connecting to kdrive.kairoson.org, TCP port 20000
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.0.2 port 38104 connected with 119.203.68.69 port 20000
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  1.09 GBytes   934 Mbits/sec

  • summary

it seams that there is no performance difference between iptables rule and lxd’s proxy device for odroid-c2 and 1Gbps LAN of my experiment environment.


lxd’s proxy device(TCP proxy) vs iptables rule
https://blog.simos.info/how-to-use-the-lxd-proxy-device-to-map-ports-between-the-host-and-the-containers/#comment-408409

reverse proxy with nginx
https://blog.simos.info/how-to-use-the-lxd-proxy-device-to-map-ports-between-the-host-and-the-containers/#comment-408553

https://www.linode.com/docs/guides/beginners-guide-to-lxd-reverse-proxy/


  • to do

I wonder how proxy device could perform such well, since it is expected to work poor due to packet copy overhead of user-level proxy process. later, try another experiment with a big file created by ‘dd if=/dev/zero of=./bigfile.bin count=2048000’ command.

# done. test result of ftp
same as iperf result above.

Leave a Reply

Your email address will not be published. Required fields are marked *