From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: iptables logging to syslog: performance problem Date: Tue, 23 Oct 2007 17:49:50 +0200 Message-ID: <471E181E.3050505@trash.net> References: <471E0F68.4010700@oxalide.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org To: Guillaume Leccese Return-path: Received: from stinky.trash.net ([213.144.137.162]:49118 "EHLO stinky.trash.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751819AbXJWPut (ORCPT ); Tue, 23 Oct 2007 11:50:49 -0400 In-Reply-To: <471E0F68.4010700@oxalide.com> Sender: netfilter-devel-owner@vger.kernel.org List-Id: netfilter-devel.vger.kernel.org Guillaume Leccese wrote: > Hi list, > > On a 2.6.19.1 kernel box (nfct patch from Julian > http://www.ssi.bg/~ja/nfct/) we have a strange performance problem. > > When a scan occur on a /24 network handled by the firewall (on a filtered > port) packets dropping produces a syslog output. During the logging > process, > the traffic is at a frozen state (2 seconds to 30 seconds, depending of the > number of ports scanned). > > vmstat output when the problem happen: > > procs -----------memory---------- ---swap-- -----io---- -system-- > ----cpu---- > 2 0 0 577112 102152 266592 0 0 0 0 1698 1513 0 16 84 0 > 2 0 0 576120 102152 266592 0 0 0 0 1690 1507 0 16 83 0 > > Before, interrupt is approximatively at 25k/sec (symmetrical to the > traffic). For instance, usually we have 100mb/s on outgoing with > a peak above 200mb/s during high activity. > > vmstat output at normal state: > > procs -----------memory---------- ---swap-- -----io---- -system-- > ----cpu---- > 0 0 0 753820 113540 77544 0 0 0 16 24668 91 0 6 > 94 0 > 0 0 0 753820 113540 77544 0 0 0 0 24919 72 0 7 > 93 0 > > The probleme can be reproduced with a nmap /24 scan on a specific port or > with a full scan on a single host. > > a vmstats when output to syslog is not active: > > Oct 20 00:46:50 2 0 0 814400 43740 99024 0 0 0 0 16995 7325 10 32 58 0 > Oct 20 00:46:51 2 0 0 814316 43740 99024 0 0 0 0 16166 7322 10 32 58 0 > > I have done these vmstats during the night, traffic was not so > important, but > interrupts does not decrease and no freeze noticed. > > When output to syslog is not effective, there is no performance decrease. > > More details about the configuration: > > - Linux 2.6.19.1, module activate, iptables not in module > - e1000, tygon 3 and sundance drivers in module > - bonding device in module > - 2x e1000, driver v7.6.9 stable, in bonding > - Keepalived 1.1.12-1, Debian apt version > > Comments and help are welcome. Are you using serial console?