Re: netfilter conntrack performance problems

["Stephen J. Smoogen" <smooge@gmail.com>]

On 9/19/05, Horvath Szabolcs <hsz@sth.sze.hu> wrote:
> Hi!
> 
> We have a firewalling-only machine, called natbox. Traffic is around
> 20-40 MByte/s, ~400 clients snatted to 4 public IPs, approx. 10000-40000
> parallel connections.
>
> 
> from the munin graphics, I see the nic's interrupts generate the machine
> load. What can we tuning to provide better performance?
> 
> It is a P4 3.0GHz with 1 GB ram, is this computer enough to do this task?
> 
>

This is more dependant on what kind of network cards are on the box,
if they can use NAPI... are they PCI, PCI-X, PCI-Express, and how well
they work. there is also a dependency on the network switches and how
they interact with the network cards. [The SNAT also has an overhead
which probably generates irq's.. not sure how much though.]

A couple of parameters I have seen improve things:

1) use the same network card on both interfaces. and use a network
card that has a good NAPI history. Harald Welt had a couple listed in
his blog a while back.. I think the e1000 came out ok.

2) I think that having the cards on the same PCI-X bus can help... but
could be wrong here.. major allergies and my head isnt too clear. If
you can find a set of cards/motherboard with 2 PCI-Express slots..
that would be best.

3) Make sure that the switches are able to handle the load. We had a
problem where we thought a firewall was crap but it turned out to be
that the switch was the problem causing a lot of resends.. this
generated a lot of load.

4) Try out jumbo frames. I think we found this decreased load.. but
was dependant on the switches/routers handling it correctly.

5) Finally.. does changing this have any effect


irq moderation:  disabled

have to take more allergy medicine.. hope this helped.

-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator