From: Guillaume Leccese <guillaume.leccese@oxalide.com>
To: netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org
Subject: iptables logging to syslog: performance problem
Date: Tue, 23 Oct 2007 17:12:40 +0200 [thread overview]
Message-ID: <471E0F68.4010700@oxalide.com> (raw)
Hi list,
On a 2.6.19.1 kernel box (nfct patch from Julian
http://www.ssi.bg/~ja/nfct/) we have a strange performance problem.
When a scan occur on a /24 network handled by the firewall (on a filtered
port) packets dropping produces a syslog output. During the logging process,
the traffic is at a frozen state (2 seconds to 30 seconds, depending of the
number of ports scanned).
vmstat output when the problem happen:
procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
2 0 0 577112 102152 266592 0 0 0 0 1698 1513 0 16 84 0
2 0 0 576120 102152 266592 0 0 0 0 1690 1507 0 16 83 0
Before, interrupt is approximatively at 25k/sec (symmetrical to the
traffic). For instance, usually we have 100mb/s on outgoing with
a peak above 200mb/s during high activity.
vmstat output at normal state:
procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
0 0 0 753820 113540 77544 0 0 0 16 24668 91 0 6 94 0
0 0 0 753820 113540 77544 0 0 0 0 24919 72 0 7 93 0
The probleme can be reproduced with a nmap /24 scan on a specific port or
with a full scan on a single host.
a vmstats when output to syslog is not active:
Oct 20 00:46:50 2 0 0 814400 43740 99024 0 0 0 0 16995 7325 10 32 58 0
Oct 20 00:46:51 2 0 0 814316 43740 99024 0 0 0 0 16166 7322 10 32 58 0
I have done these vmstats during the night, traffic was not so important, but
interrupts does not decrease and no freeze noticed.
When output to syslog is not effective, there is no performance decrease.
More details about the configuration:
- Linux 2.6.19.1, module activate, iptables not in module
- e1000, tygon 3 and sundance drivers in module
- bonding device in module
- 2x e1000, driver v7.6.9 stable, in bonding
- Keepalived 1.1.12-1, Debian apt version
Comments and help are welcome.
Regards,
--
Guillaume Leccese
13, rue Greneta 75003 Paris
tel: 01 44 78 63 66 - fax: 01 44 78 63 65
http://www.oxalide.com
next reply other threads:[~2007-10-23 15:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-23 15:12 Guillaume Leccese [this message]
2007-10-23 15:49 ` iptables logging to syslog: performance problem Patrick McHardy
2007-10-23 15:58 ` Guillaume Leccese
2007-10-23 16:05 ` Jan Engelhardt
2007-10-23 16:18 ` Patrick McHardy
2007-10-23 16:41 ` Guillaume Leccese
2007-10-23 16:45 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=471E0F68.4010700@oxalide.com \
--to=guillaume.leccese@oxalide.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox