On Thursday 21 May 2009 21:00:52 Pablo Neira Ayuso wrote: > Denys Fedoryschenko wrote: > > I have loaded pppoe (1700 users). I test one rule for short time with -j > > MASQUERADE, then removed it and reset conntrack (conntrack -F). But still > > i can see it is consuming CPU even when it is not used in any rule. Even > > i reboot server and just load rules that dont have MASQUERADE, and just > > load module - it will start consuming CPU immediately. > > Are you using 2.6.29 with any conntrack helper loaded? In that case this > fix is not in -stable yet. > > http://kerneltrap.org/mailarchive/linux-netdev/2009/4/8/5440564 > > > 64811 3.7735 ipt_MASQUERADE ipt_MASQUERADE > > device_cmp > > device_cmp() by nf_ct_iterate_cleanup() when NETDEV_DOWN event is > received. Weird, is your device going down quite often? Another > possibility is that there's some entry stuck in the conntrack table that > we cannot delete, perhaps we're leaking refcounts somewhere. It is loaded pppoe server (2k interfaces), sure they are appearing-disappearing non-stop. Thats maybe case, but weird that it is consuming CPU time while module not used at all anywhere (no rules with MASQUERADE). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
