|
> The problem has been solved. It's something related to iptables.
As expected, it's netfilter and the connection tracking. If you want
high performance load balancing, do _not_ use netfilter; especially the
connection tracking. It just does not scale. Simply loading ip_conntrack
into the kernel makes your packet rate drop by 60 kpps on a 1Gbit/s
connection.
> Stopping iptables on director and the connection rate goes from 200 to
> Nx2000, where N is the number of real server.
Very well, so LVS works well for you.
> After that, I tried to
> figure out which iptables rules conflict with ipvs and found that it's
> default argument generated from system-config-securitylevel that cause
> this. Replace "-m state --state NEW -m tcp -p tcp --dport 80" with just
> "-m tcp -p tcp --dport 80" make everything works perfectly.
It's not a conflict, it's the connection tracking core which is
extremely slow. There's ongoing effort from the netfilter people to
improve this state.
Regards,
Roberto Nibali, ratz
--
-------------------------------------------------------------
addr://Kasinostrasse 30, CH-5001 Aarau tel://++41 62 823 9355
http://www.terreactive.com fax://++41 62 823 9356
-------------------------------------------------------------
10 Jahre Kompetenz in IT-Sicherheit. 1996 - 2006
Wir sichern Ihren Erfolg. terreActive AG
-------------------------------------------------------------
|
