Re: [LARTC] Bandwith limitation

["Rinse Kloek" <rinse@solcon.nl>]

> On Monday 10 March 2003 09:41, Rinse Kloek wrote:
> > We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
> > Gigabit interfaces. On the machine we have a lot of iptables rules like
:
> >            all  --  213.134.225.0        0.0.0.0/0
> >            all  --  0.0.0.0/0            213.134.225.0
> > TOS    all  --  213.134.225.4        0.0.0.0/0          TOS set 0x08
> >            all  --  0.0.0.0/0            213.134.225.4
> >
> > Currently in the peak hours we have about 40 Megabit traffic. Also in
this
> > peak hours we have a CPU load of about 70%. What is the main reason of
this
> > CPU load, is it the high traffic or the iptables rules on the machine.
And
> > if the iptables rules are the reaseon of the high CPU load, does TOS
> > mangling use much CPU?
> I'm not sure, but I think the high traffic is the problem.  And for
iptables,
> I thinkg changing something (TOS or DNAT/SNAT) is the most CPU intensive.
> Maybe you can try to rearrange the iptables rules so the most matched
rules
> are in the beginning of your firewall script.
>
> Maybe you can create a test setup so you can generate 40 Megabit traffic
on a
> test bridge without iptables rules to see what the CPU does.
>
> Stef
>
> --
>
Stef,

We have about 3200 iptables rules on our bridge. I've tested today to remove
1000 of these rules. The load dropped from about 40% to 25%. So I think the
iptables rule take up the most of the CPU load. Do you think this is a
problem of ineffeciency of iptables or just a 'limitation' in the TCP/IP
stack of linux ?

regards Rinse

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/