[Bug 830] 關於iptables影響服務器性能事宜

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Jun 27 05:09:32 CEST 2013


--- Comment #2 from higkoohk at gmail.com 2013-06-27 05:09:32 CEST ---
Iptables impact on server performance issues

I'm so glad to find problem areas can issue this:

When using the Linux iptables, I found that it would adversely affect server
performance, especially in high-stress server perceived significantly.

For example: One million http requests per second over a web server, even if
not set any iptables rules, you will find:
1, server performance begins to drop
2, soon iptables ip_conntrack table full dropping packet

OK, for ip_conntrack
Table full of problems, you can set large table, but the larger the table, the
slower! The fundamental problem is that these table records all tcp various
states! In fact, I do not care about tcp state, only ip address filtering
function. Iptables feeling too heavy, there is no way to lightweight?

In addition, I also found the ip_conntrack other solutions: Use raw tables, set
the notrack tag, so the connection matches the rule will not be recorded
ip_conntrack table, iptables performance has improved significantly!

However, opening a notrack function will make bad, such as in foreign http
requests, dns resolution.
So, the production environment, we only service port, such as 80 open notrack,
but ultimately it's not a good idea. Because there may be other ports need to
be maintained, this thing becomes very complicated.

Seeking support!

Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list