Re: network / performance problems

From: Ron Peterson
Date: Tue Apr 13 2004 - 23:57:16 EST

Next message: Jon Grimm: "Re: io_apic & timer_ack fix"
Previous message: Manfred Spraul: "Re: Fw: [PATCH] Fix mq_notify with SIGEV_NONE notification"
In reply to: Ron Peterson: "Re: network / performance problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 12 Apr 2004, Ron Peterson wrote:

> I have another machine that's not in production yet running 2.6.5. I'm
> adopted the habit of compiling netfilter stuff as modules, but I'll
> statically link everything and run it that way to see what I can see.

Results here:

http://depot.mtholyoke.edu:8080/tmp/tap-stow/2004-04-14/

The problem persists. To the best of my knowledge, starting with kernel
version 2.4.21, and including 2.6 series kernels, if you statically link
netfilter code, and use iptables to set up connection tracking rules (as
below), ksoftirqd will consume increasing cpu%, and ping latencies
will grow. Eventually the machine will be unuseable.

#! /bin/sh

IPTABLES=/usr/local/sbin/iptables

IFPUB=eth0
IFPRIV=eth1
PUBIP=...
PUBNET=...
PRIVIP=...
PRIVNET=...

# The default policy for each chain is to DROP the packet.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Flush existing rules for all chains.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X

# Allow this host to establish new connections. Otherwise only accept
# established connections.
$IPTABLES -A OUTPUT --match state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ping from on-campus
$IPTABLES -A INPUT -i $IFPUB -s $PUBNET --protocol icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i $IFPRIV -s $PRIVNET --protocol icmp --icmp-type echo-request -j ACCEPT

# Allow incoming ssh connections.
$IPTABLES -A INPUT --protocol tcp --destination-port 22 -j ACCEPT

# Allow incoming https connections.
# $IPTABLES -A INPUT --protocol tcp --destination-port 443 -j ACCEPT

# Allow Samba/SMB/NetBIOS
$IPTABLES -A INPUT --protocol tcp --destination-port 137:139 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --destination-port 445 -j ACCEPT

# Allow CUPS
$IPTABLES -A INPUT --protocol tcp --destination-port 631 -j ACCEPT

# Allow this host to talk to itself.
$IPTABLES -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
$IPTABLES -A INPUT -s $PUBIP -d $PUBIP -j ACCEPT
$IPTABLES -A INPUT -s $PRIVIP -d $PRIVIP -j ACCEPT

_________________________
Ron Peterson
Network & Systems Manager
Mount Holyoke College

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jon Grimm: "Re: io_apic & timer_ack fix"
Previous message: Manfred Spraul: "Re: Fw: [PATCH] Fix mq_notify with SIGEV_NONE notification"
In reply to: Ron Peterson: "Re: network / performance problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]