Reading /proc/net/ip_conntrack still slow / causing packet loss?

Reading /proc/net/ip_conntrack still slow / causing packet loss?

[Pasi Kärkkäinen]

Hi!

http://ds9a.nl/klogbot/?year=2005&month=7&day=1&hour=16

quote from the url above:

"<Gandalf> cap_: the most extreme experience I have is reading
/proc/net/ip_conntrack on a fairly busy router... that really slows wthings
down and packets get dropped because of the slowdown"

"<Gandalf> and I had an identd daemon wich forwarding support that read
/p/n/ip_conntrack for each incoming ident request... 200ms forwarding delays
and lots of drops each time an ident request came in :)"

Is that information still valid for the current 2.6 kernels? How about for
2.4 ?

Thanks!

-- Pasi Kärkkäinen

Re: Reading /proc/net/ip_conntrack still slow / causing packet loss?

[KOVACS Krisztian]

  Hi,

On Tuesday 14 February 2006 18:39, Pasi Kärkkäinen wrote:
> "<Gandalf> cap_: the most extreme experience I have is reading
> /proc/net/ip_conntrack on a fairly busy router... that really slows
> wthings down and packets get dropped because of the slowdown"
>
> "<Gandalf> and I had an identd daemon wich forwarding support that read
> /p/n/ip_conntrack for each incoming ident request... 200ms forwarding
> delays and lots of drops each time an ident request came in :)"
>
> Is that information still valid for the current 2.6 kernels? How about
> for 2.4 ?

  Yes, it's still valid (on both versions). However, on recent 2.6 kernels 
you can do all kinds of funny things through netlink. An example of what 
can be done through that interface is the 'conntrack' tool:

  http://netfilter.org/projects/conntrack/index.html

  For the API:

  http://netfilter.org/projects/libnetfilter_conntrack/index.html

  Please note that both of these is still work in progress, but they're 
definitely worth a try.

-- 
 KOVACS Krisztian

Re: Reading /proc/net/ip_conntrack still slow / causing packet loss?

[Pasi Kärkkäinen]

On Tue, Feb 14, 2006 at 08:51:04PM +0100, KOVACS Krisztian wrote:
> 
>   Hi,
> 
> On Tuesday 14 February 2006 18:39, Pasi Kärkkäinen wrote:
> > "<Gandalf> cap_: the most extreme experience I have is reading
> > /proc/net/ip_conntrack on a fairly busy router... that really slows
> > wthings down and packets get dropped because of the slowdown"
> >
> > "<Gandalf> and I had an identd daemon wich forwarding support that read
> > /p/n/ip_conntrack for each incoming ident request... 200ms forwarding
> > delays and lots of drops each time an ident request came in :)"
> >
> > Is that information still valid for the current 2.6 kernels? How about
> > for 2.4 ?
> 
>   Yes, it's still valid (on both versions). However, on recent 2.6 kernels 
> you can do all kinds of funny things through netlink. An example of what 
> can be done through that interface is the 'conntrack' tool:
> 
>   http://netfilter.org/projects/conntrack/index.html
> 
>   For the API:
> 
>   http://netfilter.org/projects/libnetfilter_conntrack/index.html
> 
>   Please note that both of these is still work in progress, but they're 
> definitely worth a try.
> 

OK, Thanks for the info!

I suppose 'conntrack' tool does not block the whole netfilter like reading
/proc/net/ip_conntrack .. 

-- Pasi