* ulog: losing packets
@ 2009-02-27 14:26 Alexander Kolesnik
2009-03-01 10:14 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Alexander Kolesnik @ 2009-02-27 14:26 UTC (permalink / raw)
To: netfilter
Hello,
We're accounting traffic for users by ULOG-ipcad chain. Some time ago
I've found that some of users traffic does not appear in ipcad. To
check that this is not ipcad's problem I've installed ulogd and found
following in its log:
Fri Feb 27 15:25:56 2009 <3> ulogd.c:487 ulogd Version 1.22 starting
Fri Feb 27 15:25:56 2009 <5> ulogd.c:766 initialization finished, entering main loop
Fri Feb 27 15:27:00 2009 <7> ulogd.c:777 ipulog_read == -1! ipulog_errno == 6, errno = 105
Fri Feb 27 15:27:02 2009 <7> ulogd.c:777 ipulog_read == -1! ipulog_errno == 6, errno = 105
...
I have following settings for ulog and other stuff:
/etc/modprobe.conf:
options nf_conntrack hashsize=2097152
options ipt_ULOG nlbufsiz=65535 flushtimeout=100
# sysctl -a|grep rmem
net.ipv4.tcp_rmem = 4096 87380 174760
net.core.rmem_default = 221184
net.core.rmem_max = 4194304
/etc/ulogd.conf:
rmem=442368
bufsize=1000000
/etc/ipcad.conf:
buffers = 4194304;
# uname -a
Linux host.mydomain 2.6.20.20-2 #2 SMP Mon Oct 15 15:26:52 MSD 2007 i686 i686 i386 GNU/Linux
# free
total used free shared buffers cached
Mem: 1033124 980912 52212 0 83132 507860
-/+ buffers/cache: 389920 643204
Please, let me know what should be tuned to fix this problem!
Thanks in advance!
--
Alexander
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ulog: losing packets
2009-02-27 14:26 ulog: losing packets Alexander Kolesnik
@ 2009-03-01 10:14 ` Pablo Neira Ayuso
2009-03-02 7:57 ` Re[2]: " Alexander Kolesnik
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2009-03-01 10:14 UTC (permalink / raw)
To: Alexander Kolesnik; +Cc: netfilter
Alexander Kolesnik wrote:
> Hello,
>
> We're accounting traffic for users by ULOG-ipcad chain. Some time ago
> I've found that some of users traffic does not appear in ipcad. To
> check that this is not ipcad's problem I've installed ulogd and found
> following in its log:
> Fri Feb 27 15:25:56 2009 <3> ulogd.c:487 ulogd Version 1.22 starting
> Fri Feb 27 15:25:56 2009 <5> ulogd.c:766 initialization finished, entering main loop
> Fri Feb 27 15:27:00 2009 <7> ulogd.c:777 ipulog_read == -1! ipulog_errno == 6, errno = 105
> Fri Feb 27 15:27:02 2009 <7> ulogd.c:777 ipulog_read == -1! ipulog_errno == 6, errno = 105
That means that netlink cannot back off as it is hitting ENOBUFS, thus,
you are losing log messages. Hm, ulog <= 1.24 does a primitive netlink
error handling.
> I have following settings for ulog and other stuff:
> /etc/modprobe.conf:
> options nf_conntrack hashsize=2097152
> options ipt_ULOG nlbufsiz=65535 flushtimeout=100
>
> # sysctl -a|grep rmem
> net.ipv4.tcp_rmem = 4096 87380 174760
> net.core.rmem_default = 221184
> net.core.rmem_max = 4194304
>
> /etc/ulogd.conf:
> rmem=442368
^^^^^^
Rising this value will delay hitting ENOBUFS. This is the size of the
receiver buffer.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re[2]: ulog: losing packets
2009-03-01 10:14 ` Pablo Neira Ayuso
@ 2009-03-02 7:57 ` Alexander Kolesnik
2009-03-02 9:46 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Alexander Kolesnik @ 2009-03-02 7:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
Hello Pablo,
Thanks for the answer!
>> /etc/ulogd.conf:
>> rmem=442368
PNA> ^^^^^^
PNA> Rising this value will delay hitting ENOBUFS. This is the size of the
PNA> receiver buffer.
1. "delay" means I will get ENOBUFS in any case (early or later)?
2. What ENOBUFS does depend on? Packets per second? Bytes per second?
Amount of iptables/shaping rules? CPU performance?
3. Is there any way to calculate or predict the high limit of
traffic rate/number of rules/etc when the system will still manage to
process ULOG without alerting with ENOBUFS?
4. ipcad buffers (I suppose this is the same as rmem for ulogd) is set
to 4M:
/etc/ipcad.conf:
buffers = 4194304;
But I'm still losing ULOG messages. Does that mean I have to rise this
value more?
--
Best regards,
Alexander
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ulog: losing packets
2009-03-02 7:57 ` Re[2]: " Alexander Kolesnik
@ 2009-03-02 9:46 ` Pablo Neira Ayuso
2009-03-02 17:12 ` Nick
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2009-03-02 9:46 UTC (permalink / raw)
To: Alexander Kolesnik; +Cc: netfilter
Alexander Kolesnik wrote:
> Hello Pablo,
>
> Thanks for the answer!
>
>>> /etc/ulogd.conf:
>>> rmem=442368
> PNA> ^^^^^^
> PNA> Rising this value will delay hitting ENOBUFS. This is the size of the
> PNA> receiver buffer.
>
> 1. "delay" means I will get ENOBUFS in any case (early or later)?
Yes, but as said, you can tune different parameters to make it harder to
happen, like rising qthreshold, reducing cprange, setting a lower nice
value for ulogd.
> 2. What ENOBUFS does depend on? Packets per second? Bytes per second?
> Amount of iptables/shaping rules? CPU performance?
On the queue size, bytes/s sent to ulogd and on how slow ulogd is
reading messages.
> 3. Is there any way to calculate or predict the high limit of
> traffic rate/number of rules/etc when the system will still manage to
> process ULOG without alerting with ENOBUFS?
I don't know any, at least yet.
> 4. ipcad buffers (I suppose this is the same as rmem for ulogd) is set
> to 4M:
> /etc/ipcad.conf:
> buffers = 4194304;
> But I'm still losing ULOG messages. Does that mean I have to rise this
> value more?
Rising the value to the infinite is not either a solution, you'll hit
ENOBUFS sooner or later.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ulog: losing packets
2009-03-02 9:46 ` Pablo Neira Ayuso
@ 2009-03-02 17:12 ` Nick
0 siblings, 0 replies; 5+ messages in thread
From: Nick @ 2009-03-02 17:12 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Alexander Kolesnik, netfilter
Pablo Neira Ayuso пишет:
> Alexander Kolesnik wrote:
>
>> Hello Pablo,
>>
>> Thanks for the answer!
>>
>>
>>>> /etc/ulogd.conf:
>>>> rmem=442368
>>>>
>> PNA> ^^^^^^
>> PNA> Rising this value will delay hitting ENOBUFS. This is the size of the
>> PNA> receiver buffer.
>>
>> 1. "delay" means I will get ENOBUFS in any case (early or later)?
>>
>
> Yes, but as said, you can tune different parameters to make it harder to
> happen, like rising qthreshold, reducing cprange, setting a lower nice
> value for ulogd.
>
>
>> 2. What ENOBUFS does depend on? Packets per second? Bytes per second?
>> Amount of iptables/shaping rules? CPU performance?
>>
>
> On the queue size, bytes/s sent to ulogd and on how slow ulogd is
> reading messages.
>
>
>> 3. Is there any way to calculate or predict the high limit of
>> traffic rate/number of rules/etc when the system will still manage to
>> process ULOG without alerting with ENOBUFS?
>>
>
> I don't know any, at least yet.
>
>
>> 4. ipcad buffers (I suppose this is the same as rmem for ulogd) is set
>> to 4M:
>> /etc/ipcad.conf:
>> buffers = 4194304;
>> But I'm still losing ULOG messages. Does that mean I have to rise this
>> value more?
>>
>
> Rising the value to the infinite is not either a solution, you'll hit
> ENOBUFS sooner or later.
>
>
I experimented with the configuration, but never succeeded. Packages are
lost after 2MBit/s. For the solution of the problem I used other package
- ulog-acctd. It's works perfect.
--
With best regards, Nikolay Ilkevich.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-03-02 17:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-02-27 14:26 ulog: losing packets Alexander Kolesnik
2009-03-01 10:14 ` Pablo Neira Ayuso
2009-03-02 7:57 ` Re[2]: " Alexander Kolesnik
2009-03-02 9:46 ` Pablo Neira Ayuso
2009-03-02 17:12 ` Nick
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox