LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] Reasonable(?) Performance of LVS-NAT

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Reasonable(?) Performance of LVS-NAT
From: daryl herzmann <akrherz@xxxxxxxxxxx>
Date: Fri, 24 May 2013 08:14:58 -0500 (CDT)
On Fri, 24 May 2013, Graeme Fowler wrote:

> If you have rules in place and something making use of the conntrack 
> modules (matching ESTABLISHED/RELATED for example) then you *could* - 
> I'm not saying *will :) - see performance problems. That may explain the 
> "single connection is fast but lots at the same time aren't" scenario. 
> As the conntrack modules run in kernel space that could explain the CPU 
> usage stats, too.
>
> Try turning off any conntrack-related rules and see if it helps.

Thanks for your help.  Here's my current iptables setup, I thought I had 
enabled NOTRACK for http and https traffic to prevent this.  1.1.1.1 is my 
fake public IP for this email and 192.168.0.0 is the LAN.

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    SNAT       all  --  192.168.0.0/24       0.0.0.0/0     to:1.1.1.1
2    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MARK       tcp  --  0.0.0.0/0         1.1.1.1 tcp dpt:21 MARK set 0x15
# naughty machines blocked...
2    DROP       all  --  1.1.1.77       0.0.0.0/0
3    DROP       all  --  1.1.1.22       0.0.0.0/0

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: raw
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    NOTRACK    tcp  --  0.0.0.0/0            1.1.1.1   tcp dpt:80
2    NOTRACK    tcp  --  192.168.0.0/24       0.0.0.0/0        tcp spt:80
3    NOTRACK    tcp  --  0.0.0.0/0            1.1.1.1   tcp dpt:443
4    NOTRACK    tcp  --  192.168.0.0/24       0.0.0.0/0        tcp spt:443

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    NOTRACK    tcp  --  0.0.0.0/0            1.1.1.1   tcp dpt:80
2    NOTRACK    tcp  --  192.168.0.0/24       0.0.0.0/0        tcp spt:80
3    NOTRACK    tcp  --  0.0.0.0/0            1.1.1.1   tcp dpt:443
4    NOTRACK    tcp  --  192.168.0.0/24       0.0.0.0/0        tcp spt:443

thank you,
   daryl

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>