search

Lochnair / xt_tls

Filter TLS traffic with IPtables
GNU General Public License v3.0
227 stars 45 forks source link

CPU usage #70

Open Shamanky opened 1 month ago

Shamanky commented 1 month ago

Have you tested this module under high load e.g. 700Mb(megabits)/s , 5000Mb(megabits)/s. I am mainly interested in CPU load.

Lochnair commented 1 month ago

Can't say I have. But a more relevant metric here than throughput is how many new TLS connections you have per second. So if you set up your firewall to only run the handshake through xt_tls, then the CPU load should be pretty negligible.

For example if you have this:

# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:https TLS suffix-match hostset blocklist
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https

Then every single packet on port 443 will go through xt_tls, in which case - yes high throughput might cause extra CPU load while using this module.