On Thu, Apr 29, 2004 at 03:45:53PM +0200, Andrea Cerrito wrote:
> On Thu, 2004-04-29 at 15:28, Joseph Mack wrote:
> > Andrea Cerrito wrote:
> > >
> > > > To have 8 million concurrent connections through a director to
> > > > realservers
> > > > that only have 64k ports, you'd need 128 realservers?
> > >
> > > Does it help to play with /proc/sys/net/ipv4/ip_conntrack_max?
> > > I mean, is it possible to increment over 65535 this value?
> > the problem is that the number of ports in ipv4 is a 16bit number and
> > part of the spec. I kinda think that maybe ipv6 has more ports but I don't
> > really
> > know.
> I'm confused.
> Reading here 'http://www.wallfire.org/misc/netfilter_conntrack_perf.txt'
> I found that tuning ip_conntrack module is possible, and it's possible
> to handle even 1million connection.
LVS-Nat ant Netfilter's NAT are not the same thing.
The do not use the same code. Although the agument for
LVS is simmilar to the one for Nefilter you have below.
> Ideal case: firewalling-only machine
> In the ideal case, you have a machine _just_ doing packet filtering and NAT
> (i.e. almost no userspace running, at least none that would have a growing
> memory consumption like proxies, ...).
> The size of kernel memory used by netfilter connection tracking is:
> size_of_mem_used_by_conntrack (in bytes) =
> CONNTRACK_MAX * sizeof(struct ip_conntrack) +
> HASHSIZE * sizeof(struct list_head)
> - sizeof(struct ip_conntrack) is around 300 bytes on i386 (depending on your
> compile-time configuration, see the printout at ip_conntrack initialization
> - sizeof(struct list_head) = 2 * size_of_a_pointer
> On i386, size_of_a_pointer is 4 bytes.
> So, on i386, size_of_mem_used_by_conntrack is around
> CONNTRACK_MAX * 300 + HASHSIZE * 8 (bytes).
> If we take HASHSIZE = CONNTRACK_MAX (if we have most of the memory dedicated
> to firewalling, see "Modifying CONNTRACK_MAX and HASHSIZE" section above),
> size_of_mem_used_by_conntrack would be around CONNTRACK_MAX * 308 bytes
> on i386 systems.
> Now suppose you put 512MB of RAM (a decent amount of memory considering
> memory prices) into the firewalling-only box, and use all but 128MB for
> conntrack, which should really be big enough for a firewall in console mode,
> for example.
> Then you could set both CONNTRACK_MAX and HASHSIZE approximately to:
> (512 - 128) * 1024^2 / 308 =~ 1307315 (instead of 32768 for CONNTRACK_MAX,
> and 4096 for HASHSIZE by default).
> As of Linux 2.4.21 (and Linux 2.6), hash algorithm is happy with
> "power of 2" sizes.
> So here we can set CONNTRACK_MAX and HASHSIZE to 1048576 (2^20), for example.
> So: if 1 port = 1 connection, and Numer_Of_Ports is 16bit-limited, why
> increase the number of maximum connection tracking?
> Enjoy your freedom
> Andrea Cerrito
> Linux User #103564
> === (17:57:49) Nietzsche: "niente è quello che sembra"
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users