[Bug 830] Iptables impact on server performance issues

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Jun 27 15:10:33 CEST 2013


https://bugzilla.netfilter.org/show_bug.cgi?id=830

higkoohk at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #4 from higkoohk at gmail.com 2013-06-27 15:10:33 CEST ---
(回覆意見 #3)
> It is not a bug.
> I not really understood what you want.
> 
> If you not need conntrack then do not use it. Just unload [ip|nf]_conntrtack
> module (there must not be any rules that use it in firewall: state and
> conntrack matches, NAT destinations, etc). Maybe remove its loading on starup
> (older RHEL loads ip_conntrack_netbios_ns from /etc/sysconfig/iptables-config
> by default).
> 
> Or you can scale conntrack table by ip_conntrack_max AND ip_conntrack_buckets
> parameters. Last is tuned via sysfs
> (/sys/module/ip_conntrack/parameters/hashsize or
> /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets or something similar, may
> depend on version). If you increase max without buckets, it really hurts
> performance. Buckets should be few times (2-8) smaller than max. On large
> numbers it may eat many RAM, so be careful, especially on 32-bit systems. More
> buckent -> more performance and more memory footprint.
> 
> Or, as you metrioned, you can use NOTRACK target to avoid using conntrack on
> some basis. Adding one extra rule per service is really simple and efficient
> way.

many thanks!

this is just i want , thank you so much ..

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the netfilter-buglog mailing list