From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Jorrit Kronjee <j.kronjee@infopact.nl>, netfilter-devel@vger.kernel.org
Subject: Re: debugging kernel during packet drops
Date: Mon, 22 Mar 2010 19:02:06 +0100 [thread overview]
Message-ID: <4BA7B09E.9030306@trash.net> (raw)
In-Reply-To: <alpine.LSU.2.01.1003221849050.2821@obet.zrqbmnf.qr>
Jan Engelhardt wrote:
> On Monday 2010-03-22 18:16, Patrick McHardy wrote:
>>> I used brctl to build the bridge. The DoS machine has a custom built
>>> tool that allows me to send small packets at very fast rates. I've
>>> discovered that bridging still works reliably at around 300 kpackets/s
>>> (notice the 'k' in there). However, as said before, I was trying to
>>> limit the amount of packets/s, so I used netfilter's hashlimit module.
>>> This is when packet drops started to appear.
>>>
>>> At around 300 kpps, the amount of packet drops is 40 kpps. For me, this
>>> amount is too significant to ignore. I see the load average go from a
>>> comfortable 0.00 to 1.78, mainly caused by ksoftirqd processes. At 200
>>> kpps, the average amount of packet drops is 23 kpps. At 100 kpps, it's
>>> still 2 kpps.
>
>> A couple of suggestions:
>>
>> - try the limit module in case you don't actually need per-source/dest etc.
>> limiting but just a global limit
>
> The token-per-jiffy math logic used in xt_limit and some other
> modules is known to be inaccurate at high speeds.
>
> My suggestion is therefore to try xt_rateest instead which has
> a somewhat different logic.
Good point, I forgot about xt_rateest :)
next prev parent reply other threads:[~2010-03-22 18:02 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-22 10:41 debugging kernel during packet drops Jorrit Kronjee
2010-03-22 17:16 ` Patrick McHardy
2010-03-22 17:53 ` Jan Engelhardt
2010-03-22 18:02 ` Patrick McHardy [this message]
2010-03-23 15:14 ` Jorrit Kronjee
2010-03-23 15:39 ` Patrick McHardy
2010-03-23 17:21 ` Eric Dumazet
2010-03-23 20:07 ` Eric Dumazet
2010-03-24 15:20 ` Jorrit Kronjee
2010-03-24 16:21 ` Eric Dumazet
2010-03-24 16:28 ` Jan Engelhardt
2010-03-24 17:04 ` Eric Dumazet
2010-03-24 17:25 ` Jan Engelhardt
2010-03-25 9:32 ` Eric Dumazet
2010-03-25 10:35 ` Patrick McHardy
2010-03-25 11:02 ` Eric Dumazet
2010-03-31 12:23 ` [PATCH nf-next-2.6] xt_hashlimit: RCU conversion Eric Dumazet
2010-04-01 11:03 ` Patrick McHardy
2010-04-01 12:10 ` Eric Dumazet
2010-04-01 12:36 ` Patrick McHardy
2010-03-25 12:42 ` debugging kernel during packet drops Jan Engelhardt
2010-03-30 12:06 ` Jan Engelhardt
2010-03-30 14:12 ` Patrick McHardy
2010-03-26 10:41 ` Jorrit Kronjee
2010-03-26 11:21 ` Eric Dumazet
2010-03-26 14:17 ` Eric Dumazet
2010-03-26 15:54 ` Jorrit Kronjee
2010-03-23 17:04 ` James King
2010-03-23 17:23 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BA7B09E.9030306@trash.net \
--to=kaber@trash.net \
--cc=j.kronjee@infopact.nl \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.