Am Saturday 22 May 2004 23:25 schrieb Paul Lambert:
This setup has worked well for more than 1000 devices but as the network has grown to 3000+ devices the CPU is not keeping up.
I guess you mean 3000+ clients, not actual network devices on one machine.
Yes 3000+ client devices.
*** eth0 is MASQUERADE'd so I mark the packet on eth1 *** *** I have narrowed it down to this one entry sucking all the CPU *** iptables -t mangle -A PREROUTING -s 10.10.6.20 -i eth1 -j MARK --set-mark 0x843
Well, if you have 3000+ rules like that, it will certainly slow you down. You should use some kind of hashing. How that is done for tc filters, is described here: http://www.lartc.org/lartc.html#LARTC.ADV-FILTER.HASHING
tc is keeping up well for now. However, I think you're right and this is worth implementing.
Apply the same (or a similar) mechanism to your iptables ruleset and you should get improved speeds.
I like this idea. I never thought about using a hash filter in iptables. I could have two sections. I could match the subnet and then jump to look up the node address. I think this would lessen the load considerably as long as it is the lookup that is taking the most cpu cycles and not the actual MARK routine having to execute on every packet.
--
Thanks
HTH Andreas _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
