Hi guys, I have a router that is managing around 12 to 15 different subnets within a /23, all through one interface (ugly, I know, don''t ask). I am experiencing a fluctuating latency for traffic passing through the router. It seems to fluctuate between 2ms and 20ms, and occasionally has packet loss (though not too often since increasing the conntrack_max sysctl variable). The question that I have is in regards to "net.ipv4.netfilter.ip_conntrack_count". This has been increasing since the router has been installed, and I have had to increase it beyond the default of 16k to 64k, though it is currently at 30k entries, and within a few days, it will probably hit the 64k limit. My ''shorewall status'' is available http://tusker.sg/status.gz for anyone that wish to have a look, it is an old copy since I can''t get my current status (there is a bug in that status.gz which I have since solved, I had defined the ''net'' zone as 0.0.0.0/24, which is obviously not ''net'' [it is now 0.0.0.0/0]). (I recieve out of space errors while trying shorewall status, because of "cat: /proc/net/ip_conntrack: No space left on device") I also have a requirement to traffic shape (using tcrules etc), though I''m afraid that the traffic control will also increase the conntrack_count. Will adding the tcrules/traffic control put a drain on the router, and make the latency worse ? Thanks in advance, Damien ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Damien Mascord wrote:> Hi guys,Hi guys again, Just to follow up my own email, I will try and summarize what I would like to achieve, in case my previous email was a bit too wordy. 1) Implement traffic control, marking based on subnet, as defined by the zones. 2) Reduce the amount of latency for traffice going through the router. 3) Have shorewall status > status.txt not die with "cat: /proc/net/ip_conntrack: No space left on device". More information is included below, and if you require any further information, please do ask, Thanks, Damien> > I have a router that is managing around 12 to 15 different subnets > within a /23, all through one interface (ugly, I know, don''t ask). > > I am experiencing a fluctuating latency for traffic passing through > the router. It seems to fluctuate between 2ms and 20ms, and > occasionally has packet loss (though not too often since increasing > the conntrack_max sysctl variable). > > The question that I have is in regards to > "net.ipv4.netfilter.ip_conntrack_count". This has been increasing > since the router has been installed, and I have had to increase it > beyond the default of 16k to 64k, though it is currently at 30k > entries, and within a few days, it will probably hit the 64k limit. > > My ''shorewall status'' is available http://tusker.sg/status.gz for > anyone that wish to have a look, it is an old copy since I can''t get > my current status (there is a bug in that status.gz which I have since > solved, I had defined the ''net'' zone as 0.0.0.0/24, which is obviously > not ''net'' [it is now 0.0.0.0/0]). (I recieve out of space errors > while trying shorewall status, because of "cat: > /proc/net/ip_conntrack: No space left on device") > > I also have a requirement to traffic shape (using tcrules etc), though > I''m afraid that the traffic control will also increase the > conntrack_count. Will adding the tcrules/traffic control put a drain > on the router, and make the latency worse ? > > Thanks in advance, > > Damien------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
On Sunday 23 October 2005 09:23, Damien Mascord wrote:> Damien Mascord wrote: > > Hi guys, > > Hi guys again, > > Just to follow up my own email, I will try and summarize what I would > like to achieve, in case my previous email was a bit too wordy. > > 1) Implement traffic control, marking based on subnet, as defined by the > zones. > 2) Reduce the amount of latency for traffice going through the router. > 3) Have shorewall status > status.txt not die with "cat: > /proc/net/ip_conntrack: No space left on device". > > More information is included below, and if you require any further > information, please do ask, >Damien, I didn''t know what to make of your first post and I still don''t understand what I can do to help you. Configurations where you are routing heavy traffic in and out of the same interface have be problematic in the past. From what we''ve seen on the list over the years, many PC Network cards perform badly in that configuration and some of them will just role over and die. Given that I consider it silly to route traffic out of the same interface that it came in on, I have spent no time trying to understand the performance/latency problems that might surround such a setup or how to deal with them. So I''m afraid that all of the help I can give you is the old gag: Patient: Doctor, it hurts when I do this. Doctor: Then don''t do that. Adding some traffic shaping might help and it shouldn''t have a negative impact on your conntrack table usage. Finally, getting an error from ''cat /proc/net/ip_conntrack'' isn''t something that Shorewall and Shorewall configuration can do anything about (I''m assuming that if you dump the conntrack table to /dev/null, you get the same error? -- or does it simply run forever?). About the only suggestion I have about conntrack usage and ''cat'' problem is to try: echo 0 > /proc/sys/net/ipv4/conf/<internal interface>/send_redirects If that helps then you can include it in your /etc/shorewall/init file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Damien Mascord escribió:> Hi guys, > > I have a router that is managing around 12 to 15 different subnets > within a /23, all through one interface (ugly, I know, don''t ask). >_very_ ugly . (I recieve out of space errors while trying> shorewall status, because of "cat: /proc/net/ip_conntrack: No space left > on device")"Don''t do that then " ;)> I also have a requirement to traffic shape (using tcrules etc), though > I''m afraid that the traffic control will also increase the > conntrack_count. Will adding the tcrules/traffic control put a drain on > the router, and make the latency worse ? >Traffic shpaing capabilities available in shorewall 3.0RC2 can help you. However,get decent NICs. (expensive 3com cards are a good example) -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''