Network/IPTables. 1.
Introduction CentOS has an extremely powerful firewall built in, commonly referred to as iptables, but more accurately is iptables/netfilter. Iptables is the userspace module, the bit that you, the user, interact with at the command line to enter firewall rules into predefined tables. Netfilter is a kernel module, built into the kernel, that actually does the filtering. There are many GUI front ends for iptables that allow users to add or define rules based on a point and click user interface, but these often lack the flexibility of using the command line interface and limit the users understanding of what's really happening. Before we can really get to grips with iptables, we need to have at least a basic understanding of the way it works.
Chains These are 3 predefined chains in the filter table to which we can add rules for processing IP packets passing through those chains. INPUT - All packets destined for the host computer. Rules are added in a list to each chain. 31. LVS: Performance and Kernel Tuning. We are now (2006) in an era where the CPU is no longer rate determining in an LVS director.
Ratz 20 Feb 2006 The processor never is an issue regarding LVS unless your NIC is so badly designed that the CPU would need to take over the packet processing ;) 32.1. Performance Articles (a non-LVS article on Configuring large scale unix clusters by Dan Kegel.) The article performance data for a single realserver LVS, shows how to test the network links with netpipe and how to determine the effects of LVS on latency and throughput. Pat O'Rourke has done some performance tests on high end machines. Padraig Brady padraig (at) antefacto (dot) com 29 May 2002, measured 60usec latency for normal forwarding and 80usec latency for forwarding as a director on his setup.
Ted Pavlic was running 4 realservers with 1016 (4 x 254) RIPs way back (1999?). Jeremy Kusnet (1 Oct 2002) is running a setup with 53 VIPs, 8 services/VIP, 6 realservers, (53*8*6 = 2688) RIPs. unknown: Yes, see the list archives. Www.centos.org - Forums - CentOS 5 - General Support - ip_conntr. Just had another thought...
You may be able to eliminate the issue completely by reconfiguring the way your firewall processes the packets. For example, a typical set of firewall rules for allowing all traffic on the local 192.168.0.x subnet to access the mysql server on port 3306 may look something like this: Code: Select all iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3306 -j ACCEPT Here we see the standard rules for accepting packets on the localhost interface (first rule) and SPI rule to accept ESTABLISHED and RELATED connections in the second rule.
Lets just consider what happens so we understand. But here's the problem... the following packets that are part of that connection get processed and accepted by rule 2 because they _are_ now part of an ESTABLISHED connection, and that uses up space in our ip_conntrack buffer. Now, what if we reordered the rules slightly: