|
On Thu, 2004-04-29 at 15:28, Joseph Mack wrote:
> Andrea Cerrito wrote:
> >
>
> > > To have 8 million concurrent connections through a director to realservers
> > > that only have 64k ports, you'd need 128 realservers?
> >
> > Does it help to play with /proc/sys/net/ipv4/ip_conntrack_max?
> > I mean, is it possible to increment over 65535 this value?
>
> the problem is that the number of ports in ipv4 is a 16bit number and
> part of the spec. I kinda think that maybe ipv6 has more ports but I don't
> really
> know.
I'm confused.
Reading here 'http://www.wallfire.org/misc/netfilter_conntrack_perf.txt'
I found that tuning ip_conntrack module is possible, and it's possible
to handle even 1million connection.
Snip:***********************************
Ideal case: firewalling-only machine
------------------------------------
In the ideal case, you have a machine _just_ doing packet filtering and NAT
(i.e. almost no userspace running, at least none that would have a growing
memory consumption like proxies, ...).
The size of kernel memory used by netfilter connection tracking is:
size_of_mem_used_by_conntrack (in bytes) =
CONNTRACK_MAX * sizeof(struct ip_conntrack) +
HASHSIZE * sizeof(struct list_head)
where:
- sizeof(struct ip_conntrack) is around 300 bytes on i386 (depending on your
compile-time configuration, see the printout at ip_conntrack initialization
time).
- sizeof(struct list_head) = 2 * size_of_a_pointer
On i386, size_of_a_pointer is 4 bytes.
So, on i386, size_of_mem_used_by_conntrack is around
CONNTRACK_MAX * 300 + HASHSIZE * 8 (bytes).
If we take HASHSIZE = CONNTRACK_MAX (if we have most of the memory dedicated
to firewalling, see "Modifying CONNTRACK_MAX and HASHSIZE" section above),
size_of_mem_used_by_conntrack would be around CONNTRACK_MAX * 308 bytes
on i386 systems.
Now suppose you put 512MB of RAM (a decent amount of memory considering today's
memory prices) into the firewalling-only box, and use all but 128MB for
conntrack, which should really be big enough for a firewall in console mode,
for example.
Then you could set both CONNTRACK_MAX and HASHSIZE approximately to:
(512 - 128) * 1024^2 / 308 =~ 1307315 (instead of 32768 for CONNTRACK_MAX,
and 4096 for HASHSIZE by default).
As of Linux 2.4.21 (and Linux 2.6), hash algorithm is happy with
"power of 2" sizes.
So here we can set CONNTRACK_MAX and HASHSIZE to 1048576 (2^20), for example.
EndSnip:***********************************
So: if 1 port = 1 connection, and Numer_Of_Ports is 16bit-limited, why increase
the number of maximum connection tracking?
--
Enjoy your freedom
Andrea Cerrito
http://www.gentestrana.net/
Linux User #103564
=== (17:57:49) Nietzsche: "niente è quello che sembra"
|
