From: Patrick McHardy <kaber@trash.net>
To: Guillaume Leccese <guillaume.leccese@oxalide.com>
Cc: netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org
Subject: Re: iptables logging to syslog: performance problem
Date: Tue, 23 Oct 2007 17:49:50 +0200 [thread overview]
Message-ID: <471E181E.3050505@trash.net> (raw)
In-Reply-To: <471E0F68.4010700@oxalide.com>
Guillaume Leccese wrote:
> Hi list,
>
> On a 2.6.19.1 kernel box (nfct patch from Julian
> http://www.ssi.bg/~ja/nfct/) we have a strange performance problem.
>
> When a scan occur on a /24 network handled by the firewall (on a filtered
> port) packets dropping produces a syslog output. During the logging
> process,
> the traffic is at a frozen state (2 seconds to 30 seconds, depending of the
> number of ports scanned).
>
> vmstat output when the problem happen:
>
> procs -----------memory---------- ---swap-- -----io---- -system--
> ----cpu----
> 2 0 0 577112 102152 266592 0 0 0 0 1698 1513 0 16 84 0
> 2 0 0 576120 102152 266592 0 0 0 0 1690 1507 0 16 83 0
>
> Before, interrupt is approximatively at 25k/sec (symmetrical to the
> traffic). For instance, usually we have 100mb/s on outgoing with
> a peak above 200mb/s during high activity.
>
> vmstat output at normal state:
>
> procs -----------memory---------- ---swap-- -----io---- -system--
> ----cpu----
> 0 0 0 753820 113540 77544 0 0 0 16 24668 91 0 6
> 94 0
> 0 0 0 753820 113540 77544 0 0 0 0 24919 72 0 7
> 93 0
>
> The probleme can be reproduced with a nmap /24 scan on a specific port or
> with a full scan on a single host.
>
> a vmstats when output to syslog is not active:
>
> Oct 20 00:46:50 2 0 0 814400 43740 99024 0 0 0 0 16995 7325 10 32 58 0
> Oct 20 00:46:51 2 0 0 814316 43740 99024 0 0 0 0 16166 7322 10 32 58 0
>
> I have done these vmstats during the night, traffic was not so
> important, but
> interrupts does not decrease and no freeze noticed.
>
> When output to syslog is not effective, there is no performance decrease.
>
> More details about the configuration:
>
> - Linux 2.6.19.1, module activate, iptables not in module
> - e1000, tygon 3 and sundance drivers in module
> - bonding device in module
> - 2x e1000, driver v7.6.9 stable, in bonding
> - Keepalived 1.1.12-1, Debian apt version
>
> Comments and help are welcome.
Are you using serial console?
next prev parent reply other threads:[~2007-10-23 15:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-23 15:12 iptables logging to syslog: performance problem Guillaume Leccese
2007-10-23 15:49 ` Patrick McHardy [this message]
2007-10-23 15:58 ` Guillaume Leccese
2007-10-23 16:05 ` Jan Engelhardt
2007-10-23 16:18 ` Patrick McHardy
2007-10-23 16:41 ` Guillaume Leccese
2007-10-23 16:45 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=471E181E.3050505@trash.net \
--to=kaber@trash.net \
--cc=guillaume.leccese@oxalide.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.