Hi all, I dont know if this problem is related to shorewall, but as here we have a lot of firewall experts ... :) We are using a Leaf box (1GHz 256MB RAM) for a network with normal traffic of about 6Mbps but peaks of up to 40Mbps. The chipset of the ethernets is a Realtek. We are experiencing some high latency high CPU usage issues (the CPU is at 90%) and we discovered the process ksoftirqd_CPU0 could consume up to 50% of that. We are using a 2.4.26 kernel and have NOT compiled any optimization regarding network besides those available on Leaf. This problems have appeared since they stared to use the firewall (sohrewall based) so we think has to do something with it or iptables or tracking table or whatever. At this time they have around 50 zones and they use all of them. Could this be a problem? I have been reading about iptables performance and know it reachs a limit around 500 rules and then starts degradating, but also know shorewall makes a great job dividing the rules in such a way the traffic doesnt need to pass all of them. Any clue? Any advice. We will be VERY appreciated. Regards -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18
> Hi all, > > I dont know if this problem is related to shorewall, but as here we > have a lot of firewall experts ... :) > > We are using a Leaf box (1GHz 256MB RAM) for a network with normal > traffic of about 6Mbps but peaks of up to 40Mbps. The chipset of the > ethernets is a Realtek.1) What kind of CPU is this? 1GHz doesn''t say much. Is it PIII or some kind of embedded VIA or so? 2) Is there any chance to replace the Realteks with some decent NIC like Intel or so? I''m quite sure this will fix your problems. Simon> > We are experiencing some high latency high CPU usage issues (the CPU > is at 90%) and we discovered the process ksoftirqd_CPU0 could consume up > to 50% of that. > > We are using a 2.4.26 kernel and have NOT compiled any optimization > regarding network besides those available on Leaf. > > This problems have appeared since they stared to use the firewall > (sohrewall based) so we think has to do something with it or iptables or > tracking table or whatever. > > At this time they have around 50 zones and they use all of them. Could > this be a problem? I have been reading about iptables performance and > know it reachs a limit around 500 rules and then starts degradating, but > also know shorewall makes a great job dividing the rules in such a way > the traffic doesnt need to pass all of them. > > Any clue? Any advice. We will be VERY appreciated. > > Regards > > -- > Jaime Nebrera - jnebrera@eneotecnologia.com > Consultor TI - ENEO Tecnologia SL > Telf.- 95 455 40 62 - 619 04 55 18 > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >
Hi,> 1) What kind of CPU is this? 1GHz doesn''t say much. Is it PIII or some > kind of embedded VIA or so?Sorry I forgot, is a Via Eden 1Ghz> 2) Is there any chance to replace the Realteks with some decent NIC like > Intel or so? I''m quite sure this will fix your problems.Nop, this is an embedded system with the NICs on the motherboard :( Still, we have tested it without the firewall and those nics were able to sustain around 85Mbps. Also, we are using SW 2.0.16 (yes, we need to upgrade it) and the 50 zones set builds into 1500 iptables rules more or less. Regards -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18
2005/5/10, Jaime Nebrera <jnebrera@eneotecnologia.com>:> Hi all, > > I dont know if this problem is related to shorewall, but as here we > have a lot of firewall experts ... :) > > We are using a Leaf box (1GHz 256MB RAM) for a network with normal > traffic of about 6Mbps but peaks of up to 40Mbps. The chipset of the > ethernets is a Realtek. > > We are experiencing some high latency high CPU usage issues (the CPU > is at 90%) and we discovered the process ksoftirqd_CPU0 could consume up > to 50% of that.this a kernel issue,seems to take a lot of resoruces processing the rules> We are using a 2.4.26 kernel and have NOT compiled any optimization > regarding network besides those available on Leaf. > > This problems have appeared since they stared to use the firewall > (sohrewall based) so we think has to do something with it or iptables or > tracking table or whatever.http://howtos.linux.com/howtos/KernelAnalysis-HOWTO-5.shtml> > At this time they have around 50 zones and they use all of them. Could > this be a problem? I have been reading about iptables performance and > know it reachs a limit around 500 rules and then starts degradating, but > also know shorewall makes a great job dividing the rules in such a way > the traffic doesnt need to pass all of them. > > Any clue?memory usage?