Re: need advice for high traffic network

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Konstantin Svist <kostya@relevad.com>
To: netfilter@lists.netfilter.org
Subject: Re: need advice for high traffic network
Date: Thu, 19 Jul 2007 15:40:27 -0700	[thread overview]
Message-ID: <469FE85B.3010502@relevad.com> (raw)
In-Reply-To: <Pine.LNX.4.63.0707191516340.23721@qynat.qvtvafvgr.pbz>

# cat /proc/sys/net/netfilter/nf_conntrack_max
65536

somehow I doubt I have THAT many connections :)

highest load right now is around 600 requests per second, and ~60% 
complete within 10ms - the rest complete within 200ms (unless the 
firewall is turned on - then some start timing out 3s and up)



David Lang wrote:
> I'll bet you are hitting your max connections
>
> check the value of net.ipv4.netfilter.ip_conntrack_max
>
> David Lang
>
> On Thu, 19 Jul 2007, Konstantin Svist wrote:
>
>> Date: Thu, 19 Jul 2007 15:17:00 -0700
>> From: Konstantin Svist <kostya@relevad.com>
>> To: netfilter@lists.netfilter.org
>> Subject: need advice for high traffic network
>>
>> Hi,
>>
>> I have a network (LAN) consisting of (mostly) gigabit ethernet on a 
>> few switches. Most of the traffic is taken up by small HTTP reqests. 
>> All computers are running Fedora (all are core 4 through 7).
>>
>> I've been having some problems with servers not being accessible and 
>> just last night noticed that the problems disappear when I turn off 
>> the firewall.
>> What happens is that there are lots of small HTTP requests and 
>> apparently at some point the firewall starts dropping or disallowing 
>> new connections. This has been verified with both ab (apache 
>> benchmark) and plain SSH - a lot of times the connections time out or 
>> take a long time to get established.
>> There are ~25 rules total (as listed by 'iptables -L')
>>
>> As a temporary measure, I've turned off firewalls on more of the 
>> servers until I can figure out a better solution - I'd like to have a 
>> firewall on each server, but performance is more important.
>>
>> I'l looking at nf-HiPAC right now - will probably try it some time 
>> soon. Beyond that, I'm out of ideas for the moment.
>>
>> Is there anything else I can do?
>> Any other firewalls? Tricks with rearranging the rules?
>> etc...
>>
>>
>> Thanks!
>>
>>
>>
>> Notes:
>> * Problems do not seem to be limited to any specific Fedora version 
>> or hardware.
>> * external firewalls are out of the question, unless they're really 
>> small & cheap: there are >40 servers in the internal network and the 
>> number is growing
>>
>>
>>
>>
>>
>
>

next prev parent reply	other threads:[~2007-07-19 22:40 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-19 22:17 need advice for high traffic network Konstantin Svist
2007-07-19 22:17 ` David Lang
2007-07-19 22:40   ` Konstantin Svist [this message]
2007-07-19 22:59     ` Thomas Jacob
2007-07-19 23:17       ` Konstantin Svist
2007-07-19 23:28         ` Thomas Jacob
2007-07-19 23:35           ` Konstantin Svist
2007-07-19 23:44             ` Thomas Jacob
2007-07-20  0:18               ` Konstantin Svist
2007-07-20  7:48                 ` Thomas Jacob
2007-07-20 17:51                   ` David Lang
2007-07-20 23:14                     ` Thomas Jacob
2007-07-19 23:47             ` even hash tables sizes, FAQ entry Thomas Jacob
2007-07-20  0:13               ` David Lang
2007-07-20  7:41                 ` Thomas Jacob
2007-07-20 17:44                   ` David Lang
2007-07-20 17:50                     ` Patrick McHardy
2007-07-20 18:08                       ` David Lang
2007-07-21  3:44                         ` Patrick McHardy
2007-08-06 18:50             ` need advice for high traffic network R. DuFresne
2007-07-19 22:49 ` Thomas Jacob
2007-07-19 22:53   ` Konstantin Svist
2007-07-19 23:16     ` David Lang
2007-07-20 14:16 ` Gregory Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=469FE85B.3010502@relevad.com \
    --to=kostya@relevad.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.