netfilter buglog - Jun 2013 - [Bug 830] New: 關於iptables影響服務器性能事宜

https://bugzilla.netfilter.org/show_bug.cgi?id=830

           Summary: ??iptables?????????
           Product: iptables
           Version: unspecified
          Platform: All
        OS/Version: RedHat Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: higkoohk at gmail.com
   Estimated Hours: 0.0


????????????????????????????

???Linux?iptables?????????????????????????????????

????????????http???web??????iptables?????????????
1??????????
2????? iptables ip_conntrack table full dropping packet

OK??? ip_conntrack
?????????????????????????????????tcp????????????tcp??????ip??????????iptables????????????

??????? ip_conntrack ?????????? raw ???? notrack ???????????????????
ip_conntrack ??iptables ????????

?????? notrack ????????????????????http???dns???
???????????????????80??notrack????????????????????????????????????????

????

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=830

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |netfilter at linuxace.com

--- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-06-26
22:27:02 CEST ---
In the future, please post bug reports in english, thank you.
>From the google translation of your message, you do not appear to be
reporting
a bug, but more of a general question about netfilter.  Questions should be
sent to the netfilter mailing list.  See
http://netfilter.org/mailinglists.html#ml-user

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=830

--- Comment #2 from higkoohk at gmail.com 2013-06-27 05:09:32 CEST ---
Iptables impact on server performance issues


I'm so glad to find problem areas can issue this:

When using the Linux iptables, I found that it would adversely affect server
performance, especially in high-stress server perceived significantly.

For example: One million http requests per second over a web server, even if
not set any iptables rules, you will find:
1, server performance begins to drop
2, soon iptables ip_conntrack table full dropping packet

OK, for ip_conntrack
Table full of problems, you can set large table, but the larger the table, the
slower! The fundamental problem is that these table records all tcp various
states! In fact, I do not care about tcp state, only ip address filtering
function. Iptables feeling too heavy, there is no way to lightweight?

In addition, I also found the ip_conntrack other solutions: Use raw tables, set
the notrack tag, so the connection matches the rule will not be recorded
ip_conntrack table, iptables performance has improved significantly!

However, opening a notrack function will make bad, such as in foreign http
requests, dns resolution.
So, the production environment, we only service port, such as 80 open notrack,
but ultimately it's not a good idea. Because there may be other ports need
to
be maintained, this thing becomes very complicated.

Seeking support!

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=830

higkoohk at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|??iptables?????????         |Iptables impact on server
                   |                            |performance issues

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=830

Dmitry Petuhov <d.petuhov at electro-com.ru> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |d.petuhov at electro-com.ru

--- Comment #3 from Dmitry Petuhov <d.petuhov at electro-com.ru>
2013-06-27 14:13:49 CEST ---
It is not a bug.
I not really understood what you want.

If you not need conntrack then do not use it. Just unload [ip|nf]_conntrtack
module (there must not be any rules that use it in firewall: state and
conntrack matches, NAT destinations, etc). Maybe remove its loading on starup
(older RHEL loads ip_conntrack_netbios_ns from /etc/sysconfig/iptables-config
by default).

Or you can scale conntrack table by ip_conntrack_max AND ip_conntrack_buckets
parameters. Last is tuned via sysfs
(/sys/module/ip_conntrack/parameters/hashsize or
/proc/sys/net/ipv4/netfilter/ip_conntrack_buckets or something similar, may
depend on version). If you increase max without buckets, it really hurts
performance. Buckets should be few times (2-8) smaller than max. On large
numbers it may eat many RAM, so be careful, especially on 32-bit systems. More
buckent -> more performance and more memory footprint.

Or, as you metrioned, you can use NOTRACK target to avoid using conntrack on
some basis. Adding one extra rule per service is really simple and efficient
way.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=830

higkoohk at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #4 from higkoohk at gmail.com 2013-06-27 15:10:33 CEST ---
(???? #3)
> It is not a bug.
> I not really understood what you want.
> 
> If you not need conntrack then do not use it. Just unload
[ip|nf]_conntrtack
> module (there must not be any rules that use it in firewall: state and
> conntrack matches, NAT destinations, etc). Maybe remove its loading on
starup
> (older RHEL loads ip_conntrack_netbios_ns from
/etc/sysconfig/iptables-config
> by default).
> 
> Or you can scale conntrack table by ip_conntrack_max AND
ip_conntrack_buckets
> parameters. Last is tuned via sysfs
> (/sys/module/ip_conntrack/parameters/hashsize or
> /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets or something similar, may
> depend on version). If you increase max without buckets, it really hurts
> performance. Buckets should be few times (2-8) smaller than max. On large
> numbers it may eat many RAM, so be careful, especially on 32-bit systems.
More
> buckent -> more performance and more memory footprint.
> 
> Or, as you metrioned, you can use NOTRACK target to avoid using conntrack
on
> some basis. Adding one extra rule per service is really simple and
efficient
> way.
many thanks!

this is just i want , thank you so much ..

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.