From: Michele Petrazzo - Unipex <michele.petrazzo@unipex.it>
To: John Little <jlittle_97@yahoo.com>
Cc: "Thomas Jacob" <jacob@internet24.de>,
"Gáspár Lajos" <swifty@freemail.hu>,
netfilter@vger.kernel.org
Subject: Re: Using iptables with high volume mail
Date: Fri, 02 Oct 2009 17:08:13 +0200 [thread overview]
Message-ID: <4AC6175D.4020600@unipex.it> (raw)
In-Reply-To: <150303.95092.qm@web53112.mail.re2.yahoo.com>
John Little wrote:
>> What matters most is what happens in each time slice, not so much
>> how many connections you have in the connection hash table (you can
>> tune that table with with
>> /proc/sys/net/ipv4/netfilter/ip_conntrack_max and
>> /sys/module/ip_conntrack/parameters/hashsize).
>>
Except that if the table fill up you'll see some "table full" kernel
messages and the connections will be refused!
>> However, emails per time should be pretty much the same as
>> connections per time, unless you open several tcp connections over
>> the nat box for each email, and I see no reason why you would need
>> to do that ;)
>
> We have some stats now:
> Packets per second: avg 6221 max 41,810
> Connections peak: avg 7263 max 22,981
>
> New connections per second: avg 102 max 1029
> If I allocate 500 bytes per connection at the max
> connections I would need ~87Mb + machine overhead. That's not much
> in today's world of servers.
Only for add some real numbers that hope pacify your heart, with the
lnstat tool (lnstat -f ip_conntrack) I have here:
100k entries into ip_conntrack, about 700 new conn/sec, 8k iptables
rules, 0.5/0.8 cpu load, with a xeon 4 cores and 2 gb ram and e1000e
card and no problems at all.
The unique think that I can say you to do with this cards it's to
_update_ the drivers with the last one found on the site because that on
the kernel vanilla aren't so stable and can (who say for sure?) *oops*
your server.
> Thanks, John
>
Michele
next prev parent reply other threads:[~2009-10-02 15:08 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-01 11:42 Using iptables with high volume mail John Little
2009-10-01 11:54 ` Richard Horton
2009-10-01 12:45 ` John Little
2009-10-01 16:03 ` Thomas Jacob
2009-10-01 16:40 ` Gáspár Lajos
2009-10-01 19:39 ` John Little
2009-10-02 12:31 ` Thomas Jacob
2009-10-02 13:50 ` John Little
2009-10-02 14:52 ` Thomas Jacob
2009-10-02 15:08 ` Michele Petrazzo - Unipex [this message]
2009-10-02 19:04 ` John Little
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AC6175D.4020600@unipex.it \
--to=michele.petrazzo@unipex.it \
--cc=jacob@internet24.de \
--cc=jlittle_97@yahoo.com \
--cc=netfilter@vger.kernel.org \
--cc=swifty@freemail.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.