IPv6 Reverse Path firewall rule affects network throughput performance on high speed networks

Solution Verified - Updated -

Issue

  • IPv6 Reverse Path filter firewall rule affects network throughput performance on high speed networks
  • firewalld affects network throughput performance when 100 Gbps NIC is used
  • High speed networking with firewalld firewall results in low performance and packet loss, dropwatch shows a high number of drops in nf_hook_slow
  • ip6tables translated rule using rpfilter match causes high CPU usage
  • nftables rule using fib match causes high CPU usage

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8
  • firewalld firewall (all versions)
  • nftables IPv6 fib match, eg:
nft add rule ip6 raw PREROUTING fib saddr . iif oif != 0 counter accept

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content