foxy 202 wrote:>
> Hi all,
> I manage network with two connections with l00Mbit
> In the past when network wasn''t so load everything was OK, now
> in pick hours load over border server from 1.0 to 1.5 / it
isn''t so
> big /
> and for me is very strange why I have increasing of ping timeout
> from 0.5- 5ms in normal hour to 50-100 ms in pick hours..
>
> server is with good hardware
> AMD 64 Dualcore 3800+
> Intel Gigabit Ethernet
> 1 GB RAM
> Debian sarge 2.6.16 #2 SMP kernel
>
> I use about 240 mangle rules with iptables to mark download traffic
> and to
> limit it but when I try to load more rules server increase load and
> begin to drop
> packages :(
>
> my question is why when I try to load new 200 mangle rules / only
> mangle rules / server increase load average and ping timeout increase
> to 50-100 ms
> and second is what is better solution for networks with more then
> 100Mbit traffic ..
> to use iptables mangle rules + u32 or to use more u32 filters and
> less mangle rules ?
>
> Actually I don''t have experience with so big traffic and I need
any
> advice is welcome.
>
>
> Best Regards
> Emil
Emil,
I don''t have any real answers but I encountered the same problem you
have, except your hardware is a lot better than mine. I''d load 255
rules and the keyboard would become unresponsive and the network was
terribly slow. Not just pings, everything.
I changed the NIC and that helped. I''ve forgotten what I replaced it
with, but it uses the Tulip driver and it is 100Mbit.
I changed iptables source code for connection tracking. TCP conntrack
is set to track connections for 5 DAYS! If I recall correctly, I
changed that to 20 minutes. That reduced the size of
/proc/net/ip_conntrack and that at least made the keyboard OK, but it
was still not enough.
You should search the mailing list archives for hashing.
(I gave up trying to maintain 255 marks.)
--
gypsy