From: Florian Weimer <fw@deneb.enyo.de>
To: Simon Kirby <sim@netnation.org>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Route cache performance under stress
Date: Sat, 17 May 2003 01:16:08 +0200 [thread overview]
Message-ID: <8765oaxz2f.fsf@deneb.enyo.de> (raw)
In-Reply-To: <20030516222436.GA6620@netnation.com> (Simon Kirby's message of "Fri, 16 May 2003 15:24:36 -0700")
Simon Kirby <sim@netnation.org> writes:
> I hate the way this works in iptables), particularly with the MSSQL
> worm that burst out to the 'net that one Friday night several few
> months ago. Adding a single match udp port, DROP rule to PREROUTING
> chain made the load go back down to normal levels. The same rule in
> the INPUT/FORWARD chain had no affect on the CPU utilization (still
> saturated).
Yes, that's exactly the phenomenon, but operators traditionally
attributed it to other things running on the router (such as
accounting).
> Under normal operation, it looks like most load we are seeing is in fact
> normal route lookups. We run BGP peering, and so there is a lot of
> routes in the table.
You should aggregate the routes before you load them into the kernel.
Hardly anybody seems to do this, but usually, you have much fewer
interfaces than prefixes 8-), so this could result in a huge win.
Anyway, using data structures tailored to the current Internet routing
table, it's certainly possible to do destination-only routing using
half a dozen memory lookups or so (or a few indirect calls, I'm not
sure which option is cheaper).
> I will try playing more with this code and look at your patch and paper.
Well, I didn't write the paper, I found it after discovering the
problem in the kernel. This complexity attack has been resolved, but
this won't help people like you who have to run Linux on an
uncooperative network.
The patch I posted won't help you as it increases the load
considerably unless most of your flows consist of one packet. (And
there's no need for patching, you can go ahead and just change the
value via /proc.)
next prev parent reply other threads:[~2003-05-16 23:03 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-05 16:37 Route cache performance under stress Florian Weimer
2003-04-05 18:17 ` Martin Josefsson
2003-04-05 18:34 ` Willy Tarreau
2003-05-16 22:24 ` Simon Kirby
2003-05-16 23:16 ` Florian Weimer [this message]
2003-05-19 19:10 ` Simon Kirby
2003-05-17 2:35 ` David S. Miller
2003-05-17 7:31 ` Florian Weimer
2003-05-17 22:09 ` David S. Miller
2003-05-18 9:21 ` Florian Weimer
2003-05-18 9:31 ` David S. Miller
2003-05-19 17:36 ` Jamal Hadi
2003-05-19 19:18 ` Ralph Doncaster
-- strict thread matches above, loose matches on Subject: below --
2003-04-08 6:14 Scott A Crosby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8765oaxz2f.fsf@deneb.enyo.de \
--to=fw@deneb.enyo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=sim@netnation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox