[Bug 830] Iptables impact on server performance issues

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Jun 27 14:13:50 CEST 2013


https://bugzilla.netfilter.org/show_bug.cgi?id=830

Dmitry Petuhov <d.petuhov at electro-com.ru> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |d.petuhov at electro-com.ru

--- Comment #3 from Dmitry Petuhov <d.petuhov at electro-com.ru> 2013-06-27 14:13:49 CEST ---
It is not a bug.
I not really understood what you want.

If you not need conntrack then do not use it. Just unload [ip|nf]_conntrtack
module (there must not be any rules that use it in firewall: state and
conntrack matches, NAT destinations, etc). Maybe remove its loading on starup
(older RHEL loads ip_conntrack_netbios_ns from /etc/sysconfig/iptables-config
by default).

Or you can scale conntrack table by ip_conntrack_max AND ip_conntrack_buckets
parameters. Last is tuned via sysfs
(/sys/module/ip_conntrack/parameters/hashsize or
/proc/sys/net/ipv4/netfilter/ip_conntrack_buckets or something similar, may
depend on version). If you increase max without buckets, it really hurts
performance. Buckets should be few times (2-8) smaller than max. On large
numbers it may eat many RAM, so be careful, especially on 32-bit systems. More
buckent -> more performance and more memory footprint.

Or, as you metrioned, you can use NOTRACK target to avoid using conntrack on
some basis. Adding one extra rule per service is really simple and efficient
way.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list