[LARTC] Bandwith limitation
We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits Gigabit interfaces. On the machine we have a lot of iptables rules like : all -- 213.134.225.00.0.0.0/0 all -- 0.0.0.0/0213.134.225.0 TOSall -- 213.134.225.40.0.0.0/0 TOS set 0x08 all -- 0.0.0.0/0213.134.225.4 Currently in the peak hours we have about 40 Megabit traffic. Also in this peak hours we have a CPU load of about 70%. What is the main reason of this CPU load, is it the high traffic or the iptables rules on the machine. And if the iptables rules are the reaseon of the high CPU load, does TOS mangling use much CPU? Kindly regards, Rinse Kloek - Solcon Internetdiensten B.V. www.solcon.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bandwith limitation
On Monday 10 March 2003 09:41, Rinse Kloek wrote: We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits Gigabit interfaces. On the machine we have a lot of iptables rules like : all -- 213.134.225.00.0.0.0/0 all -- 0.0.0.0/0213.134.225.0 TOSall -- 213.134.225.40.0.0.0/0 TOS set 0x08 all -- 0.0.0.0/0213.134.225.4 Currently in the peak hours we have about 40 Megabit traffic. Also in this peak hours we have a CPU load of about 70%. What is the main reason of this CPU load, is it the high traffic or the iptables rules on the machine. And if the iptables rules are the reaseon of the high CPU load, does TOS mangling use much CPU? I'm not sure, but I think the high traffic is the problem. And for iptables, I thinkg changing something (TOS or DNAT/SNAT) is the most CPU intensive. Maybe you can try to rearrange the iptables rules so the most matched rules are in the beginning of your firewall script. Maybe you can create a test setup so you can generate 40 Megabit traffic on a test bridge without iptables rules to see what the CPU does. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bandwith limitation
On Monday 10 March 2003 09:41, Rinse Kloek wrote: We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits Gigabit interfaces. On the machine we have a lot of iptables rules like : all -- 213.134.225.00.0.0.0/0 all -- 0.0.0.0/0213.134.225.0 TOSall -- 213.134.225.40.0.0.0/0 TOS set 0x08 all -- 0.0.0.0/0213.134.225.4 Currently in the peak hours we have about 40 Megabit traffic. Also in this peak hours we have a CPU load of about 70%. What is the main reason of this CPU load, is it the high traffic or the iptables rules on the machine. And if the iptables rules are the reaseon of the high CPU load, does TOS mangling use much CPU? I'm not sure, but I think the high traffic is the problem. And for iptables, I thinkg changing something (TOS or DNAT/SNAT) is the most CPU intensive. Maybe you can try to rearrange the iptables rules so the most matched rules are in the beginning of your firewall script. Maybe you can create a test setup so you can generate 40 Megabit traffic on a test bridge without iptables rules to see what the CPU does. Stef -- Stef, We have about 3200 iptables rules on our bridge. I've tested today to remove 1000 of these rules. The load dropped from about 40% to 25%. So I think the iptables rule take up the most of the CPU load. Do you think this is a problem of ineffeciency of iptables or just a 'limitation' in the TCP/IP stack of linux ? regards Rinse ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bandwith limitation
Stef, We have about 3200 iptables rules on our bridge. I've tested today to remove 1000 of these rules. The load dropped from about 40% to 25%. So I think the iptables rule take up the most of the CPU load. Do you think this is a problem of ineffeciency of iptables or just a 'limitation' in the TCP/IP stack of linux ? I don't think it's a limitation. I think you reached the point where you need a bigger machine :) Maybe you can try to iptables mailing list to find more info about the performance you can expect : http://lists.netfilter.org/mailman/listinfo/netfilter Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bandwith limitation
Stef Coene wrote: Stef, We have about 3200 iptables rules on our bridge. I've tested today to remove 1000 of these rules. The load dropped from about 40% to 25%. So I think the iptables rule take up the most of the CPU load. Do you think this is a problem of ineffeciency of iptables or just a 'limitation' in the TCP/IP stack of linux ? I don't think it's a limitation. I think you reached the point where you need a bigger machine :) Some topic-related observations: AMD Athlon XP1700+ (1466), 4xRealtek8139, 5-6Mbit/s - nearly reaching the limit of machine capabalities P4 2000, 3com905C+BROADCOM BCM5701, 40-50Mbit/s - far better behavior Same configuration on both, thousands of iptables rules, and on the p4 machine there are 200-250 concurrent pppoe sessions (none on the athlon) Maybe you can try to iptables mailing list to find more info about the performance you can expect : http://lists.netfilter.org/mailman/listinfo/netfilter Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bandwith limitation
El Mon, Mar 10, 2003 at 08:42:06PM +0200, Evgeni Gechev escribió: Some topic-related observations: AMD Athlon XP1700+ (1466), 4xRealtek8139, 5-6Mbit/s - nearly reaching the limit of machine capabalities Change the 4 Realtek by 4 REAL nics, as the kernel driver of the realtek cards sais ... ... Realtek redefine the concept of low end hardware with this chipset ... P4 2000, 3com905C+BROADCOM BCM5701, 40-50Mbit/s - far better behavior Same configuration on both, thousands of iptables rules, and on the p4 machine there are 200-250 concurrent pppoe sessions (none on the athlon) I think is not a matter of the hardware (CPU/Mem I mean), but a matter of having good nics, good switches, and a very good planed and inplemented network struture. If you want good performance, a tunning over the kernel network related parameters would be good too. Best regards -- _ _ // Raúl A. Betancort Santana/ A Dream is an answer to __ \\ // [EMAIL PROTECTED] // question that we don't know (oo) \\ // Dimensión Virtual S.L. // how to ask. / \/ \ // \ A Linux Solution Provider / `V__V' / pgp0.pgp Description: PGP signature