[LARTC] strange iptables mangle problem

[LARTC] strange iptables mangle problem

[foxy 202]

[-- Attachment #1.1: Type: text/plain, Size: 1103 bytes --]

Hi all,
   I manage network with two connections with l00Mbit
In the past when network wasn't so load everything was OK, now
in pick hours load over  border server  from 1.0 to 1.5  / it isn't so big /
and  for me is very strange why I have increasing of ping timeout
from 0.5- 5ms  in normal hour to 50-100 ms in pick hours..

 server is with good hardware
    AMD 64 Dualcore 3800+
    Intel Gigabit Ethernet
    1 GB RAM
    Debian sarge 2.6.16 #2 SMP kernel

I use about 240 mangle rules with iptables  to mark download traffic and to
limit it but when I try to load more rules server increase load  and begin
to drop
packages :(

 my question is why when I try to load new 200 mangle rules / only mangle
rules /  server increase load average and ping timeout increase to 50-100 ms
…
and second is what is better solution for networks with more then 100Mbit
traffic ..
  to use iptables mangle rules + u32 or to use more u32 filters and less
mangle rules ?

  Actually I don't have experience with so big traffic and I need any advice
is welcome.


Best Regards
Emil

[-- Attachment #1.2: Type: text/html, Size: 2370 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] strange iptables mangle problem

[gypsy]

foxy 202 wrote:
> 
> Hi all,
>    I manage network with two connections with l00Mbit
> In the past when network wasn't so load everything was OK, now
> in pick hours load over  border server  from 1.0 to 1.5  / it isn't so
> big /
> and  for me is very strange why I have increasing of ping timeout
> from 0.5- 5ms  in normal hour to 50-100 ms in pick hours..
> 
>  server is with good hardware
>     AMD 64 Dualcore 3800+
>     Intel Gigabit Ethernet
>     1 GB RAM
>     Debian sarge 2.6.16 #2 SMP kernel
> 
> I use about 240 mangle rules with iptables  to mark download traffic
> and to
> limit it but when I try to load more rules server increase load  and
> begin to drop
> packages :(
> 
>  my question is why when I try to load new 200 mangle rules / only
> mangle rules /  server increase load average and ping timeout increase
> to 50-100 ms …
> and second is what is better solution for networks with more then
> 100Mbit traffic ..
>   to use iptables mangle rules + u32 or to use more u32 filters and
> less mangle rules ?
> 
>   Actually I don't have experience with so big traffic and I need any
> advice is welcome.
> 
> 
> Best Regards
> Emil

Emil,

I don't have any real answers but I encountered the same problem you
have, except your hardware is a lot better than mine.  I'd load 255
rules and the keyboard would become unresponsive and the network was
terribly slow.  Not just pings, everything.

I changed the NIC and that helped.  I've forgotten what I replaced it
with, but it uses the Tulip driver and it is 100Mbit.

I changed iptables source code for connection tracking.  TCP conntrack
is set to track connections for 5 DAYS!  If I recall correctly, I
changed that to 20 minutes.  That reduced the size of
/proc/net/ip_conntrack and that at least made the keyboard OK, but it
was still not enough.

You should search the mailing list archives for hashing.

(I gave up trying to maintain 255 marks.)
--
gypsy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc