Open Shamanky opened 1 month ago
Can't say I have. But a more relevant metric here than throughput is how many new TLS connections you have per second. So if you set up your firewall to only run the handshake through xt_tls, then the CPU load should be pretty negligible.
For example if you have this:
# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:https TLS suffix-match hostset blocklist
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
Then every single packet on port 443 will go through xt_tls, in which case - yes high throughput might cause extra CPU load while using this module.
Have you tested this module under high load e.g. 700Mb(megabits)/s , 5000Mb(megabits)/s. I am mainly interested in CPU load.