All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Memory consumption
@ 2005-03-30 14:13 Kenneth Kalmer
  0 siblings, 0 replies; 2+ messages in thread
From: Kenneth Kalmer @ 2005-03-30 14:13 UTC (permalink / raw)
  To: lartc

Hope everyone had a festive easter weekend!

Is it possible to monitor how much memory iptables or kernel consumes
while processing packets as they go through the firewall? The same
question goes for having a large number of routes in the routing table
(>700).

A few reasons for asking, but the two major ones are from the
following situations:

1. We provide 420 flats in a complex with broadband internet from one
source where I do the shaping and firewalling. The number of rules are
already insane, over a 1000. I need to match mac and ip's and only
allow certain destination ports and so forth. This works but the you
can feel the box is lagging under heavily loads although top and free
reports there is still some memory available. I wanna add rules to
have all packets dumped in a SQL database using ulogd to perform some
extensive analysis myself (and move the project into the public domain
later this year...)

2. Just to have all packets logged as in example 1, but without the
number of users and other rules.

Just to restate my questions:
1. How can I monitor the amount of CPU and memory usage of the kernel
spent on processing each packet as it traverses the various chains and
tables?
2. What would be the recommended CPU for using on an iptables firewall
machine for heavy loads?

Thanks in advance

-- 

Kenneth Kalmer
kenneth.kalmer@gmail.com
http://opensourcery.blogspot.com
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [LARTC] Memory consumption
@ 2005-04-03 14:32 Bikrant Neupane
  0 siblings, 0 replies; 2+ messages in thread
From: Bikrant Neupane @ 2005-04-03 14:32 UTC (permalink / raw)
  To: lartc


Just as u said I am also doing traffic shaping using iptables, tc and htb to
conttrol b/w with of around 400 users.
I have around 900 rules in the fiter table that does mac+ip based filtering
with rate limiting (for pkt persec control) and another 900+ rules in mangle
table for traffic shaping purpose. I am doing it on a dell with P4 2.4Ghz
box with 2 GB ram. Traffic reaches to around 17Mbps at peak. Along with that
I have Mrtg that builds the graph of each htb leaf. With all that my system
cpu utilization reaches upto 55% at peak. Now i think it is time to move
mrtg configs to another system just dedicated for graphing purpose.
However I have myself not been able to find out how much cpu is spent by the
system in fitering and shaping the traffic. If anyone can put some light on
it then it will be great help for propery analysis. I even got suggestions
to use high performance firewall (http://www.hipac.org/) instead of iptables
but I have been using current setup for last 2 years without much problem
( except getting out of track of the nodes and leaf ;) ) so I still have
doubt shifting to very new setup.

best regards,
Bikrant


----- Original Message -----
From: "Kenneth Kalmer" <kenneth.kalmer@gmail.com>
To: "lartc" <lartc@mailman.ds9a.nl>
Sent: Wednesday, March 30, 2005 7:58 PM
Subject: [LARTC] Memory consumption


> Hope everyone had a festive easter weekend!
>
> Is it possible to monitor how much memory iptables or kernel consumes
> while processing packets as they go through the firewall? The same
> question goes for having a large number of routes in the routing table
> (>700).
>
> A few reasons for asking, but the two major ones are from the
> following situations:
>
> 1. We provide 420 flats in a complex with broadband internet from one
> source where I do the shaping and firewalling. The number of rules are
> already insane, over a 1000. I need to match mac and ip's and only
> allow certain destination ports and so forth. This works but the you
> can feel the box is lagging under heavily loads although top and free
> reports there is still some memory available. I wanna add rules to
> have all packets dumped in a SQL database using ulogd to perform some
> extensive analysis myself (and move the project into the public domain
> later this year...)
>
> 2. Just to have all packets logged as in example 1, but without the
> number of users and other rules.
>
> Just to restate my questions:
> 1. How can I monitor the amount of CPU and memory usage of the kernel
> spent on processing each packet as it traverses the various chains and
> tables?
> 2. What would be the recommended CPU for using on an iptables firewall
> machine for heavy loads?
>
> Thanks in advance
>
> --
>
> Kenneth Kalmer
> kenneth.kalmer@gmail.com
> http://opensourcery.blogspot.com
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-04-03 14:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-30 14:13 [LARTC] Memory consumption Kenneth Kalmer
  -- strict thread matches above, loose matches on Subject: below --
2005-04-03 14:32 Bikrant Neupane

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.