Hi folks,
At my site all of the the OpenAFS servers are separated from the
clients by stateful iptables firewalls that include NAT. The first
OpenAFS clients had been running for less than week when I figured
that the AFS packets being dropped by the firewall (mostly SPT=7000
DPT=7001) might have something to do with the poor performance being
experienced by the users.
Figuring that this would have something to do with UDP timeouts, I
found an article somewhere* in which it was suggested that increasing
the values for ip_conntrack_udp_timeout and
ip_conntrack_udp_timeout_stream from the default 30 of seconds to
28800 (8 hours) would solve things. It seems to have done the trick:
AFS packets are no longer being dropped and the users say the system
is performing much better.
But I'm worried now that 28800 is probably overdoing it. AFS
connections over UDP don't seem to use a lot of random ports, but DNS
does and I'm also running Bind9 behind the same firewalls. My worry is
that this high timeout value may get me into trouble with things like
spoofing and UDP port number recycling (i.e. running out of resources).
What's the best solution in this situation? Is a 28800-second timeout
value for UDP connections okay, or can I do with less? Or, would it be
an better idea to instead configure all of the workstations with the
following command?
fs checkservers -interval 10
Thanks,
Jaap Winius
*) http://www.cs.washington.edu/homes/bdferris/afs_conntrack_nat/index.html
(okay, this advice may be outdated)
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
