On 4/30/2015 11:50 PM, Willy Tarreau wrote: > If you're working on preparing the OS, please *do* verify that > conntrack is properly tuned (large hash table with at least 1/4 of the > total number of sessions). Otherwise under load it will become > extremely slow.
When I asked about recommendations earlier, I was not using the firewall, but now circumstances (FTP load balancing) will force me into turning the firewall on. At that point, I expect will need to pay attention to netfilter tuning. I found another message on the Internet where you advised someone to look at nf_conntrack_max and nf_conntrack_htable_size. On a recent (3.13) kernel, the htable size parameter doesn't seem to exist. I found netfilter/nf_conntrack_max which is set to 65536. There is also /netfilter/nf_conntrack_expect_max which is set to 256. Is a value of 65536 for nf_conntrack_max high enough? I'm definitely no expert, but that certainly seems like a pretty high number, although I did see one recommendation of 262144, and another where they used 10485760. I would expect normal peak traffic to be below a few hundred requests per second. If we ever saw 1000-2000 per second, I'm not sure our current backend hardware could keep up. Thanks, Shawn