On 11/5/19 3:27 AM, Vieri Di Paola wrote: > Hi, > > I've been struggling with system performance lately, but still haven't > gotten anywhere. > Top doesn't really seem to show anything "wrong" or worth worrying about. > However, there are processes (only Shorewall-related that I know of, > for now) that hinder real-time traffic (eg. VoIP). > > Since every single config is different and depends mostly on the > amount of rules one might define, I decided to test another command I > see is causing me network issues: > > # time shorewall show capabilities > > real 0m37.072s > user 0m0.370s > sys 0m24.210s > > During these 30 seconds or so, I'm experiencing latency issues. > Nothing else in TOP seems to give any other clues, and it is easily > reproducible. > > smartmontools don't seem to indicate anything wrong with the disks. > > iostat typically shows these values: > > avg-cpu: %user %nice %system %iowait %steal %idle > 1.73 0.11 8.06 0.23 0.00 89.88 > > Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s > avgrq-sz avgqu-sz await r_await w_await svctm %util > sda 0.00 23.90 0.16 16.83 12.02 582.69 > 69.98 0.07 3.85 0.52 3.88 0.22 0.38 > sdb 0.00 23.90 0.02 16.83 0.27 582.69 > 69.16 0.06 3.85 0.64 3.85 0.22 0.38 > md5 0.00 0.00 0.19 37.04 12.29 574.49 > 31.52 0.00 0.00 0.00 0.00 0.00 0.00 > md4 0.00 0.00 0.00 0.00 0.00 0.00 > 46.85 0.00 0.00 0.00 0.00 0.00 0.00 > md3 0.00 0.00 0.00 0.00 0.00 0.00 > 46.39 0.00 0.00 0.00 0.00 0.00 0.00 > md127 0.00 0.00 0.00 0.00 0.00 0.00 > 7.57 0.00 0.00 0.00 0.00 0.00 0.00 > > avg-cpu: %user %nice %system %iowait %steal %idle > 2.97 0.25 3.34 0.00 0.00 93.44 > > Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s > avgrq-sz avgqu-sz await r_await w_await svctm %util > sda 0.00 57.43 0.00 19.80 0.00 289.11 > 29.20 0.00 0.00 0.00 0.00 0.00 0.00 > sdb 0.00 57.43 0.00 19.80 0.00 289.11 > 29.20 0.00 0.00 0.00 0.00 0.00 0.00 > md5 0.00 0.00 0.00 70.30 0.00 273.27 > 7.77 0.00 0.00 0.00 0.00 0.00 0.00 > md4 0.00 0.00 0.00 0.00 0.00 0.00 > 0.00 0.00 0.00 0.00 0.00 0.00 0.00 > md3 0.00 0.00 0.00 0.00 0.00 0.00 > 0.00 0.00 0.00 0.00 0.00 0.00 0.00 > md127 0.00 0.00 0.00 0.00 0.00 0.00 > 0.00 0.00 0.00 0.00 0.00 0.00 0.00 > > avg-cpu: %user %nice %system %iowait %steal %idle > 2.35 0.00 3.22 0.00 0.00 94.42 > > Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s > avgrq-sz avgqu-sz await r_await w_await svctm %util > sda 0.00 7.00 0.00 9.00 0.00 59.00 > 13.11 0.00 0.00 0.00 0.00 0.00 0.00 > sdb 0.00 7.00 0.00 9.00 0.00 59.00 > 13.11 0.00 0.00 0.00 0.00 0.00 0.00 > md5 0.00 0.00 0.00 10.00 0.00 44.00 > 8.80 0.00 0.00 0.00 0.00 0.00 0.00 > md4 0.00 0.00 0.00 0.00 0.00 0.00 > 0.00 0.00 0.00 0.00 0.00 0.00 0.00 > md3 0.00 0.00 0.00 0.00 0.00 0.00 > 0.00 0.00 0.00 0.00 0.00 0.00 0.00 > md127 0.00 0.00 0.00 0.00 0.00 0.00 > 0.00 0.00 0.00 0.00 0.00 0.00 0.00 > > BTW, during a "show capabilities" run, I get something like this: > > avg-cpu: %user %nice %system %iowait %steal %idle > 3.96 0.12 14.85 0.12 0.00 80.94 > > Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s > avgrq-sz avgqu-sz await r_await w_await svctm %util > sda 0.00 32.67 0.00 44.55 0.00 562.38 > 25.24 1.68 37.78 0.00 37.78 3.78 16.83 > sdb 0.00 32.67 0.00 44.55 0.00 562.38 > 25.24 0.04 0.89 0.00 0.89 0.89 3.96 > md5 0.00 0.00 0.00 71.29 0.00 550.50 > 15.44 0.00 0.00 0.00 0.00 0.00 0.00 > md4 0.00 0.00 0.00 0.00 0.00 0.00 > 0.00 0.00 0.00 0.00 0.00 0.00 0.00 > md3 0.00 0.00 0.00 0.00 0.00 0.00 > 0.00 0.00 0.00 0.00 0.00 0.00 0.00 > md127 0.00 0.00 0.00 0.00 0.00 0.00 > 0.00 0.00 0.00 0.00 0.00 0.00 0.00 > > > Why would "show capabilities" take so long to complete? > > I have other Shorewall machines with similar kernels, but they take a > lot less time (about 3 seconds). > > Thanks for sharing your thoughts, >
On a system with heavy network traffic,'show capabilities' is not advised. Furthermore, on such a system, I recommend using a 'capabilities' file when running Shorewall (as opposed to Shorewall-lite which always uses a capabilities file on the administrative system). Logic in the compiler that is similar to that for the 'show capabilities' command is run when no 'capabilities' file is found. Many 'iptables -A' commands are run to determine what features iptables and the kernel support. The implementation of 'iptables -A' is not ideal; it regenerates the running configuration in memory, adds the new rule to that new configuration, then does an atomic swap of the new config and the current config. This essentially stalls network traffic for a time, in addition to using CPU cycles. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
