* [LARTC] Bandwith limitation
@ 2003-03-10 8:41 Rinse Kloek
2003-03-10 17:41 ` Stef Coene
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Rinse Kloek @ 2003-03-10 8:41 UTC (permalink / raw)
To: lartc
We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits Gigabit
interfaces. On the machine we have a lot of iptables rules like :
all -- 213.134.225.0 0.0.0.0/0
all -- 0.0.0.0/0 213.134.225.0
TOS all -- 213.134.225.4 0.0.0.0/0 TOS set 0x08
all -- 0.0.0.0/0 213.134.225.4
Currently in the peak hours we have about 40 Megabit traffic. Also in this
peak hours we have a CPU load of about 70%. What is the main reason of this
CPU load, is it the high traffic or the iptables rules on the machine. And
if the iptables rules are the reaseon of the high CPU load, does TOS
mangling use much CPU?
Kindly regards,
Rinse Kloek - Solcon Internetdiensten B.V.
www.solcon.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Bandwith limitation
2003-03-10 8:41 [LARTC] Bandwith limitation Rinse Kloek
@ 2003-03-10 17:41 ` Stef Coene
2003-03-10 17:50 ` Rinse Kloek
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Stef Coene @ 2003-03-10 17:41 UTC (permalink / raw)
To: lartc
On Monday 10 March 2003 09:41, Rinse Kloek wrote:
> We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
> Gigabit interfaces. On the machine we have a lot of iptables rules like :
> all -- 213.134.225.0 0.0.0.0/0
> all -- 0.0.0.0/0 213.134.225.0
> TOS all -- 213.134.225.4 0.0.0.0/0 TOS set 0x08
> all -- 0.0.0.0/0 213.134.225.4
>
> Currently in the peak hours we have about 40 Megabit traffic. Also in this
> peak hours we have a CPU load of about 70%. What is the main reason of this
> CPU load, is it the high traffic or the iptables rules on the machine. And
> if the iptables rules are the reaseon of the high CPU load, does TOS
> mangling use much CPU?
I'm not sure, but I think the high traffic is the problem. And for iptables,
I thinkg changing something (TOS or DNAT/SNAT) is the most CPU intensive.
Maybe you can try to rearrange the iptables rules so the most matched rules
are in the beginning of your firewall script.
Maybe you can create a test setup so you can generate 40 Megabit traffic on a
test bridge without iptables rules to see what the CPU does.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Bandwith limitation
2003-03-10 8:41 [LARTC] Bandwith limitation Rinse Kloek
2003-03-10 17:41 ` Stef Coene
@ 2003-03-10 17:50 ` Rinse Kloek
2003-03-10 18:00 ` Stef Coene
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Rinse Kloek @ 2003-03-10 17:50 UTC (permalink / raw)
To: lartc
> On Monday 10 March 2003 09:41, Rinse Kloek wrote:
> > We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
> > Gigabit interfaces. On the machine we have a lot of iptables rules like
:
> > all -- 213.134.225.0 0.0.0.0/0
> > all -- 0.0.0.0/0 213.134.225.0
> > TOS all -- 213.134.225.4 0.0.0.0/0 TOS set 0x08
> > all -- 0.0.0.0/0 213.134.225.4
> >
> > Currently in the peak hours we have about 40 Megabit traffic. Also in
this
> > peak hours we have a CPU load of about 70%. What is the main reason of
this
> > CPU load, is it the high traffic or the iptables rules on the machine.
And
> > if the iptables rules are the reaseon of the high CPU load, does TOS
> > mangling use much CPU?
> I'm not sure, but I think the high traffic is the problem. And for
iptables,
> I thinkg changing something (TOS or DNAT/SNAT) is the most CPU intensive.
> Maybe you can try to rearrange the iptables rules so the most matched
rules
> are in the beginning of your firewall script.
>
> Maybe you can create a test setup so you can generate 40 Megabit traffic
on a
> test bridge without iptables rules to see what the CPU does.
>
> Stef
>
> --
>
Stef,
We have about 3200 iptables rules on our bridge. I've tested today to remove
1000 of these rules. The load dropped from about 40% to 25%. So I think the
iptables rule take up the most of the CPU load. Do you think this is a
problem of ineffeciency of iptables or just a 'limitation' in the TCP/IP
stack of linux ?
regards Rinse
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Bandwith limitation
2003-03-10 8:41 [LARTC] Bandwith limitation Rinse Kloek
2003-03-10 17:41 ` Stef Coene
2003-03-10 17:50 ` Rinse Kloek
@ 2003-03-10 18:00 ` Stef Coene
2003-03-10 18:42 ` Evgeni Gechev
2003-03-10 19:03 ` Raúl Alexis Betancort Santana
4 siblings, 0 replies; 6+ messages in thread
From: Stef Coene @ 2003-03-10 18:00 UTC (permalink / raw)
To: lartc
> Stef,
>
> We have about 3200 iptables rules on our bridge. I've tested today to
> remove 1000 of these rules. The load dropped from about 40% to 25%. So I
> think the iptables rule take up the most of the CPU load. Do you think this
> is a problem of ineffeciency of iptables or just a 'limitation' in the
> TCP/IP stack of linux ?
I don't think it's a limitation. I think you reached the point where you need
a bigger machine :)
Maybe you can try to iptables mailing list to find more info about the
performance you can expect :
http://lists.netfilter.org/mailman/listinfo/netfilter
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Bandwith limitation
2003-03-10 8:41 [LARTC] Bandwith limitation Rinse Kloek
` (2 preceding siblings ...)
2003-03-10 18:00 ` Stef Coene
@ 2003-03-10 18:42 ` Evgeni Gechev
2003-03-10 19:03 ` Raúl Alexis Betancort Santana
4 siblings, 0 replies; 6+ messages in thread
From: Evgeni Gechev @ 2003-03-10 18:42 UTC (permalink / raw)
To: lartc
Stef Coene wrote:
> > Stef,
> >
> > We have about 3200 iptables rules on our bridge. I've tested today to
> > remove 1000 of these rules. The load dropped from about 40% to 25%. So I
> > think the iptables rule take up the most of the CPU load. Do you think this
> > is a problem of ineffeciency of iptables or just a 'limitation' in the
> > TCP/IP stack of linux ?
> I don't think it's a limitation. I think you reached the point where you need
> a bigger machine :)
Some topic-related observations:
AMD Athlon XP1700+ (1466), 4xRealtek8139, 5-6Mbit/s - nearly reaching the limit
of machine capabalities
P4 2000, 3com905C+BROADCOM BCM5701, 40-50Mbit/s - far better behavior
Same configuration on both, thousands of iptables rules, and on the p4 machine
there are 200-250 concurrent pppoe sessions (none on the athlon)
>
> Maybe you can try to iptables mailing list to find more info about the
> performance you can expect :
> http://lists.netfilter.org/mailman/listinfo/netfilter
>
> Stef
>
> --
>
> stef.coene@docum.org
> "Using Linux as bandwidth manager"
> http://www.docum.org/
> #lartc @ irc.oftc.net
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Bandwith limitation
2003-03-10 8:41 [LARTC] Bandwith limitation Rinse Kloek
` (3 preceding siblings ...)
2003-03-10 18:42 ` Evgeni Gechev
@ 2003-03-10 19:03 ` Raúl Alexis Betancort Santana
4 siblings, 0 replies; 6+ messages in thread
From: Raúl Alexis Betancort Santana @ 2003-03-10 19:03 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 1319 bytes --]
El Mon, Mar 10, 2003 at 08:42:06PM +0200, Evgeni Gechev escribió:
>
> Some topic-related observations:
> AMD Athlon XP1700+ (1466), 4xRealtek8139, 5-6Mbit/s - nearly reaching the limit
> of machine capabalities
Change the 4 Realtek by 4 REAL nics, as the kernel driver of the
realtek cards sais ... "... Realtek redefine the concept of low end
hardware with this chipset ..."
> P4 2000, 3com905C+BROADCOM BCM5701, 40-50Mbit/s - far better behavior
> Same configuration on both, thousands of iptables rules, and on the p4 machine
> there are 200-250 concurrent pppoe sessions (none on the athlon)
I think is not a matter of the hardware (CPU/Mem I mean), but a matter of having good
nics, good switches, and a very good planed and inplemented network
struture. If you want good performance, a tunning over the kernel
network related parameters would be good too.
Best regards
--
_ _
// Raúl A. Betancort Santana /> A Dream is an answer to __ \\
// <rabs@dimension-virtual.com> // question that we don't know (oo) \\
// Dimensión Virtual S.L. // how to ask. / \/ \ //
\> A Linux Solution Provider </ `V__V' </
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-03-10 19:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-10 8:41 [LARTC] Bandwith limitation Rinse Kloek
2003-03-10 17:41 ` Stef Coene
2003-03-10 17:50 ` Rinse Kloek
2003-03-10 18:00 ` Stef Coene
2003-03-10 18:42 ` Evgeni Gechev
2003-03-10 19:03 ` Raúl Alexis Betancort Santana
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.