Re: High CPU usage + Kernel option

["danyvip (at) pattco.ro" <danyvip@pattco.ro>]

you could always use arp -f filename to have few rules in iptables.. 
alitle bit less cpu consumtion..
if the main problem is ssh logging try port shaping and alocate 5kbfor 
ssh..
hope it helps,

danyvip
-- 



Vlad Adomnicai wrote:

> With vmstat the sys is at 100%. User process is 1-2%.
> The machine doesn't do anything except routing and filtering with 
> iptables.
> There is also a script that runs every minute that updates the 
> iptables rules, but it only lasts for about 1 second under medium cpu 
> load.
>
> Vlad Adomnicai
>
>
> Ray Leach wrote:
>
>> On Tue, 2004-04-06 at 15:35, Vlad Adomnicai wrote:
>>  
>>
>>> Hi,
>>>   I have a K6/2 333 machine with 64Mb of RAM and two network cards. 
>>> (3c509 and an Intel one both with TCP cheksum offloading and Cpu )
>>>   I use Fedora Core 1 with the default kernel    and iptables 1.2.9.
>>>
>>>   At high traffic through the router (6-7Mbytes/second) the CPU goes 
>>> to 100% and I can't even log on to it through SSH:
>>> [root@root web]# ssh 192.168.200.1 -C -v
>>> OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: Applying options for *
>>> debug1: Rhosts Authentication disabled, originating port will not be 
>>> trusted.
>>> debug1: ssh_connect: needpriv 0
>>> debug1: Connecting to 192.168.200.1 [192.168.200.1] port 22.
>>> debug1: Connection established.
>>> debug1: identity file /root/.ssh/identity type -1
>>> debug1: identity file /root/.ssh/id_rsa type -1
>>> debug1: identity file /root/.ssh/id_dsa type -1
>>>    and stands there until a timeout occures.
>>>   On the network behind the router are aproxymately 200 users for 
>>> which I have about 200 iptables rules  like this iptables -A FORWARD 
>>> -s <ip> -m mac --mac-source <mac> -j ACCEPT and 200   iptables -A 
>>> FORWARD -d <ip> -j ACCEPT, to allow passage only for the machines 
>>> with the corect pair of ip/mac. I could give up the last 200 rules, 
>>> as they don't serve a real purpose in limiting the access but they 
>>> are used only for bandwidth monitoring / ip.
>>>   Does anyone know how to lower the cpu usage with this 
>>> configuration?   
>>
>> It should be very low ...
>>
>>  
>>
>>> tweaks of any kind? Would a 2.6 kernel improve the situation? I have 
>>> also seen an option in the 2.4 kernels CONFIG_NET_HW_FLOWCONTROL 
>>> (Forwarding between high speed interfaces) but there it is written 
>>> that it supports only some network devices and I don't know about 
>>> 3coms or intel ones.
>>>
>>>  Any one has any ideas? another way of setting the rules? another 
>>> filtering method? tweaking parameters? or at least what kind of 
>>> system will it be necessary for this setup to be able to at least 
>>> log on to the machine and do something on it. Also, would a FreeBSD 
>>> be more suitable for this on the same configuration?
>>>
>>>   
>>
>> Run something like sar, vmstat, top on the machine during high usage to
>> see if there is another proc running that may be causing the high cpu
>> usage. Do you run squid on that machine? If so, check the memory config
>> ...
>>
>>  
>>
>>> Thanks in advance for any informations.
>>> Vlad Adomnicai
>>>
>>>   
>>
>
>
>