https://bugzilla.netfilter.org/show_bug.cgi?id=830 Summary: ??iptables????????? Product: iptables Version: unspecified Platform: All OS/Version: RedHat Linux Status: NEW Severity: major Priority: P5 Component: iptables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: higkoohk at gmail.com Estimated Hours: 0.0 ???????????????????????????? ???Linux?iptables????????????????????????????????? ????????????http???web??????iptables????????????? 1?????????? 2????? iptables ip_conntrack table full dropping packet OK??? ip_conntrack ?????????????????????????????????tcp????????????tcp??????ip??????????iptables???????????? ??????? ip_conntrack ?????????? raw ???? notrack ??????????????????? ip_conntrack ??iptables ???????? ?????? notrack ????????????????????http???dns??? ???????????????????80??notrack???????????????????????????????????????? ???? -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.netfilter.org/show_bug.cgi?id=830 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter at linuxace.com --- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-06-26 22:27:02 CEST --- In the future, please post bug reports in english, thank you.>From the google translation of your message, you do not appear to be reportinga bug, but more of a general question about netfilter. Questions should be sent to the netfilter mailing list. See http://netfilter.org/mailinglists.html#ml-user -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.netfilter.org/show_bug.cgi?id=830 --- Comment #2 from higkoohk at gmail.com 2013-06-27 05:09:32 CEST --- Iptables impact on server performance issues I'm so glad to find problem areas can issue this: When using the Linux iptables, I found that it would adversely affect server performance, especially in high-stress server perceived significantly. For example: One million http requests per second over a web server, even if not set any iptables rules, you will find: 1, server performance begins to drop 2, soon iptables ip_conntrack table full dropping packet OK, for ip_conntrack Table full of problems, you can set large table, but the larger the table, the slower! The fundamental problem is that these table records all tcp various states! In fact, I do not care about tcp state, only ip address filtering function. Iptables feeling too heavy, there is no way to lightweight? In addition, I also found the ip_conntrack other solutions: Use raw tables, set the notrack tag, so the connection matches the rule will not be recorded ip_conntrack table, iptables performance has improved significantly! However, opening a notrack function will make bad, such as in foreign http requests, dns resolution. So, the production environment, we only service port, such as 80 open notrack, but ultimately it's not a good idea. Because there may be other ports need to be maintained, this thing becomes very complicated. Seeking support! -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Jun-27 03:20 UTC
[Bug 830] Iptables impact on server performance issues
https://bugzilla.netfilter.org/show_bug.cgi?id=830 higkoohk at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|??iptables????????? |Iptables impact on server | |performance issues -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Jun-27 12:13 UTC
[Bug 830] Iptables impact on server performance issues
https://bugzilla.netfilter.org/show_bug.cgi?id=830 Dmitry Petuhov <d.petuhov at electro-com.ru> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |d.petuhov at electro-com.ru --- Comment #3 from Dmitry Petuhov <d.petuhov at electro-com.ru> 2013-06-27 14:13:49 CEST --- It is not a bug. I not really understood what you want. If you not need conntrack then do not use it. Just unload [ip|nf]_conntrtack module (there must not be any rules that use it in firewall: state and conntrack matches, NAT destinations, etc). Maybe remove its loading on starup (older RHEL loads ip_conntrack_netbios_ns from /etc/sysconfig/iptables-config by default). Or you can scale conntrack table by ip_conntrack_max AND ip_conntrack_buckets parameters. Last is tuned via sysfs (/sys/module/ip_conntrack/parameters/hashsize or /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets or something similar, may depend on version). If you increase max without buckets, it really hurts performance. Buckets should be few times (2-8) smaller than max. On large numbers it may eat many RAM, so be careful, especially on 32-bit systems. More buckent -> more performance and more memory footprint. Or, as you metrioned, you can use NOTRACK target to avoid using conntrack on some basis. Adding one extra rule per service is really simple and efficient way. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Jun-27 13:10 UTC
[Bug 830] Iptables impact on server performance issues
https://bugzilla.netfilter.org/show_bug.cgi?id=830 higkoohk at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #4 from higkoohk at gmail.com 2013-06-27 15:10:33 CEST --- (???? #3)> It is not a bug. > I not really understood what you want. > > If you not need conntrack then do not use it. Just unload [ip|nf]_conntrtack > module (there must not be any rules that use it in firewall: state and > conntrack matches, NAT destinations, etc). Maybe remove its loading on starup > (older RHEL loads ip_conntrack_netbios_ns from /etc/sysconfig/iptables-config > by default). > > Or you can scale conntrack table by ip_conntrack_max AND ip_conntrack_buckets > parameters. Last is tuned via sysfs > (/sys/module/ip_conntrack/parameters/hashsize or > /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets or something similar, may > depend on version). If you increase max without buckets, it really hurts > performance. Buckets should be few times (2-8) smaller than max. On large > numbers it may eat many RAM, so be careful, especially on 32-bit systems. More > buckent -> more performance and more memory footprint. > > Or, as you metrioned, you can use NOTRACK target to avoid using conntrack on > some basis. Adding one extra rule per service is really simple and efficient > way.many thanks! this is just i want , thank you so much .. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.