Linux Netfilter discussions
 help / color / mirror / Atom feed
From: Horvath Szabolcs <hsz@sth.sze.hu>
To: netfilter@lists.netfilter.org
Cc: root@sth.sze.hu
Subject: netfilter conntrack performance problems
Date: Mon, 19 Sep 2005 22:34:42 +0200	[thread overview]
Message-ID: <20050919203442.GA4111@hsz.tmp.hu> (raw)

Hi!

We have a firewalling-only machine, called natbox. Traffic is around
20-40 MByte/s, ~400 clients snatted to 4 public IPs, approx. 10000-40000
parallel connections.

You can see the traffic here:
http://mrtg.sth.sze.hu/14all.cgi?log=193.224.129.230&cfg=uplink.cfg

When the traffic grows above 30 MByte/sec, the sysinterrupts is around
90%.

vmstat's output at 20 MByte/sec:

gw:~# vmstat 1
procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in    cs us sy id wa
 3  0      0 844720   5936  23476    0    0    12    16 7887  2364  4 57 39  0
 2  0      0 844656   5936  23476    0    0     0     0 30336  3263  5 76 19  0
 0  0      0 844592   5936  23476    0    0     0     0 30102  3314  5 72 23  0
 1  0      0 844656   5936  23476    0    0     0     0 28954  4219  5 66 29  0
 0  0      0 844656   5936  23476    0    0     0     0 29902  3428  6 71 23  0
 1  0      0 844656   5944  23476    0    0     0    64 29250  4071  5 71 24  0

When the sysinterrupt is near to 100%, the machine is natting further,
but we can't manage via ssh. The interactive tasks don't work.

sysctl parameters: http://193.224.129.230/log/sysctl.txt
dmesg info: http://193.224.129.230/log/dmesg.txt
kernel configuration: http://193.224.129.230/log/config.txt
firewall conf: http://193.224.129.230/log/firewall.txt
(If I missed any importation information, please let me know!)

munin: http://193.224.129.230/munin/

from the munin graphics, I see the nic's interrupts generate the machine
load. What can we tuning to provide better performance? 

It is a P4 3.0GHz with 1 GB ram, is this computer enough to do this task?


Thanks for your reply.

Szabolcs Horvath



             reply	other threads:[~2005-09-19 20:34 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-09-19 20:34 Horvath Szabolcs [this message]
2005-09-19 21:10 ` netfilter conntrack performance problems Stephen J. Smoogen
2005-09-20 10:38 ` KOVACS Krisztian

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050919203442.GA4111@hsz.tmp.hu \
    --to=hsz@sth.sze.hu \
    --cc=netfilter@lists.netfilter.org \
    --cc=root@sth.sze.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox