Re: Persistance and LVS

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Persistance and LVS
From: Andrea Cerrito <is@xxxxxxxxxxxxxxx>
Date: Thu, 29 Apr 2004 15:45:53 +0200
On Thu, 2004-04-29 at 15:28, Joseph Mack wrote:
> Andrea Cerrito wrote:
> > 
> > > To have 8 million concurrent connections through a director to realservers
> > > that only have 64k ports, you'd need 128 realservers?
> > 
> > Does it help to play with /proc/sys/net/ipv4/ip_conntrack_max?
> > I mean, is it possible to increment over 65535 this value?
> the problem is that the number of ports in ipv4 is a 16bit number and
> part of the spec. I kinda think that maybe ipv6 has more ports but I don't 
> really 
> know.

I'm confused.
Reading here ''
I found that tuning ip_conntrack module is possible, and it's possible
to handle even 1million connection.

Ideal case: firewalling-only machine

In the ideal case, you have a machine _just_ doing packet filtering and NAT
(i.e. almost no userspace running, at least none that would have a growing
memory consumption like proxies, ...).

The size of kernel memory used by netfilter connection tracking is:
size_of_mem_used_by_conntrack (in bytes) =
        CONNTRACK_MAX * sizeof(struct ip_conntrack) +
        HASHSIZE * sizeof(struct list_head)
- sizeof(struct ip_conntrack) is around 300 bytes on i386 (depending on your
  compile-time configuration, see the printout at ip_conntrack initialization
- sizeof(struct list_head) = 2 * size_of_a_pointer
  On i386, size_of_a_pointer is 4 bytes.

So, on i386, size_of_mem_used_by_conntrack is around
CONNTRACK_MAX * 300 + HASHSIZE * 8 (bytes).

If we take HASHSIZE = CONNTRACK_MAX (if we have most of the memory dedicated
to firewalling, see "Modifying CONNTRACK_MAX and HASHSIZE" section above),
size_of_mem_used_by_conntrack would be around CONNTRACK_MAX * 308 bytes
on i386 systems.

Now suppose you put 512MB of RAM (a decent amount of memory considering today's
memory prices) into the firewalling-only box, and use all but 128MB for
conntrack, which should really be big enough for a firewall in console mode,
for example.
Then you could set both CONNTRACK_MAX and HASHSIZE approximately to:
(512 - 128) * 1024^2 / 308 =~ 1307315 (instead of 32768 for CONNTRACK_MAX,
and 4096 for HASHSIZE by default).
As of Linux 2.4.21 (and Linux 2.6), hash algorithm is happy with
"power of 2" sizes.

So here we can set CONNTRACK_MAX and HASHSIZE to 1048576 (2^20), for example.

So: if 1 port = 1 connection, and Numer_Of_Ports is 16bit-limited, why increase 
the number of maximum connection tracking?
Enjoy your freedom

Andrea Cerrito
Linux User #103564

=== (17:57:49) Nietzsche: "niente è quello che sembra"

<Prev in Thread] Current Thread [Next in Thread>