Denys Fedoryschenko wrote: > I have loaded pppoe (1700 users). I test one rule for short time with -j > MASQUERADE, then removed it and reset conntrack (conntrack -F). But still i > can see it is consuming CPU even when it is not used in any rule. Even i > reboot server and just load rules that dont have MASQUERADE, and just load > module - it will start consuming CPU immediately. Are you using 2.6.29 with any conntrack helper loaded? In that case this fix is not in -stable yet. http://kerneltrap.org/mailarchive/linux-netdev/2009/4/8/5440564 > 64811 3.7735 ipt_MASQUERADE ipt_MASQUERADE device_cmp device_cmp() by nf_ct_iterate_cleanup() when NETDEV_DOWN event is received. Weird, is your device going down quite often? Another possibility is that there's some entry stuck in the conntrack table that we cannot delete, perhaps we're leaking refcounts somewhere. -- "Los honestos son inadaptados sociales" -- Les Luthiers -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
