From: gypsy <gypsy@iswest.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] strange iptables mangle problem
Date: Wed, 12 Apr 2006 02:25:10 +0000 [thread overview]
Message-ID: <443C6506.90C3B729@iswest.com> (raw)
In-Reply-To: <a763a15b0604110233n5e4f742el3c97bb5cde54573b@mail.gmail.com>
foxy 202 wrote:
>
> Hi all,
> I manage network with two connections with l00Mbit
> In the past when network wasn't so load everything was OK, now
> in pick hours load over border server from 1.0 to 1.5 / it isn't so
> big /
> and for me is very strange why I have increasing of ping timeout
> from 0.5- 5ms in normal hour to 50-100 ms in pick hours..
>
> server is with good hardware
> AMD 64 Dualcore 3800+
> Intel Gigabit Ethernet
> 1 GB RAM
> Debian sarge 2.6.16 #2 SMP kernel
>
> I use about 240 mangle rules with iptables to mark download traffic
> and to
> limit it but when I try to load more rules server increase load and
> begin to drop
> packages :(
>
> my question is why when I try to load new 200 mangle rules / only
> mangle rules / server increase load average and ping timeout increase
> to 50-100 ms …
> and second is what is better solution for networks with more then
> 100Mbit traffic ..
> to use iptables mangle rules + u32 or to use more u32 filters and
> less mangle rules ?
>
> Actually I don't have experience with so big traffic and I need any
> advice is welcome.
>
>
> Best Regards
> Emil
Emil,
I don't have any real answers but I encountered the same problem you
have, except your hardware is a lot better than mine. I'd load 255
rules and the keyboard would become unresponsive and the network was
terribly slow. Not just pings, everything.
I changed the NIC and that helped. I've forgotten what I replaced it
with, but it uses the Tulip driver and it is 100Mbit.
I changed iptables source code for connection tracking. TCP conntrack
is set to track connections for 5 DAYS! If I recall correctly, I
changed that to 20 minutes. That reduced the size of
/proc/net/ip_conntrack and that at least made the keyboard OK, but it
was still not enough.
You should search the mailing list archives for hashing.
(I gave up trying to maintain 255 marks.)
--
gypsy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
prev parent reply other threads:[~2006-04-12 2:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-11 9:33 [LARTC] strange iptables mangle problem foxy 202
2006-04-12 2:25 ` gypsy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=443C6506.90C3B729@iswest.com \
--to=gypsy@iswest.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.