网络安全检测|网络安全服务|网络安全扫描-香港墨客投资移动版

Figure 13 shows that the throughput of Netfilter increases slowly with growing number of CPU cores. In contrary, the performance of Quick NAT scales out linearly with the number of cores and achieves an improvement of more than 860% compared to that of Linux Netfilter. The reason is that Quick NAT use RSS to enable efficient distribution of flows across multiple CPU cores and leverage lock-free hash table to eliminate this overhead of sharing connection records among different cores.

3)QNS Performance

We conduct an experiment to measure the time of QNS algorithm in Quick NAT system and linear search algorithm that Netfilter uses to search for NAT rules. To start with, we add 100 rules to different rules hash tables and then use QNS algorithms to look for different NAT rules for 100 times to calculate the mean searching time. Then, we create a linked list to store the same rules and use linear search algorithm to search for different NAT rules in the same way as the preceding one. In addition, we change the number of rules up to 10k and do this experiment for many times.

We can learn from the result in table I that it takes about 43 ns for QNS algorithm to search for rules and that the number of rules makes no difference on the performance of QNS algorithm because QNS is based on hash search with the complexity of O(1). On the contrary, it is a time consuming process to use linear search to look for rules in Netfilter, especially when the number of rules is large.

5 Conclusion

This paper presents Quick NAT, a high performance NAT system at line rate on commodity hardware. Firstly, QNS algorithm is designed to search for the NAT rules with complexity of O(1). QNS algorithm is based on hash search instead of sequential search, which eliminates the time to look up NAT rule tables. Furthermore, we use Receive-side Scaling (RSS) to distribute flows across multiple CPU cores. To reduce the overhead of locks among CPU cores, Quick NAT leverages lock-free hash table to share connection records efficiently between different cores. Last but not least, Quick NAT takes advantage of Data Plane Development Kit (DPDK)'s capabilities to be built in user space, and enables zero-copy delivery and polling to cut down the overhead of copy and interrupt.

We implement Quick NAT on commodity servers. The experiments show that Quick NAT can obtain line rate throughput for 64B packets, an improvement of more than 860% in comparison with Linux Netfilter. Moreover, the performance of Quick NAT increases linearly with core number and thus Quick NAT provides high scalability.

Although Quick NAT achieves the line rate, there are still some works to do in the future. First of all, we plan to implement Quick NAT in virtual machines to support cloud computing environment and obtain more flexibility and manageability. In addition, we will collaboratively redesign the algorithm of allocating IP/Ports from IP/Port pool and the hash algorithm of RSS to achieve full localization of flows, avoiding sharing connection records among CPU cores and achieving higher performance and scalability on multicore platform. 

(责编：尹峥、赵光霞)