netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stefan Majer <stefan.majer@gmail.com>
To: netfilter@vger.kernel.org
Subject: conntrackd high cpu usage
Date: Mon, 9 Jan 2012 19:49:55 +0100	[thread overview]
Message-ID: <CADdPHGu4WFrVantzmr6rn6jvPkoxmxPMdOrPzSkRYKMbbtZWKQ@mail.gmail.com> (raw)

Hi,

we have 2 8core Xeon Boxes with 2 Intel X520 10GBit Adapter running
rhel 6.1 as redundant firewall.
On every node we have conntrackd installed with a FTFW mode, we
synchronize all states.
Synchronization is made over multicast on a dedicated vlan interface.
The Firewall itself actually have around 300 vlans active.

Actually we see permanent ~400 new connections/sec with peaks at 800 conn/sec.

With this load the conntrackd consumes about 15 - 25 % CPU from one
CPU on the active side and about 5% CPU usage on the passive side.
Is this expected ?
This is our Testing environment, and we expect much higher (~10 - 20
times) connection rates.

This would not be possible with the current setup, as this would be
cpu bound on the conntrackd, as this daemon is single threaded.
Is there any way to make this process faster, eg. make the
synchronization multi threaded ?

I already did some perf analysis, but they didnt gave us much light.

Any ideas, hints welcome

Greetings
-- 
Stefan Majer

             reply	other threads:[~2012-01-09 18:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-09 18:49 Stefan Majer [this message]
2012-01-16 11:28 ` conntrackd high cpu usage Pablo Neira Ayuso
2012-01-16 19:53   ` Stefan Majer
2012-01-16 22:58     ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CADdPHGu4WFrVantzmr6rn6jvPkoxmxPMdOrPzSkRYKMbbtZWKQ@mail.gmail.com \
    --to=stefan.majer@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).