>For reference, we have a 350MHz Cyrix machine handling iptables with >stateful inspection for a medium-loaded 2Mb line with maybe 50 users/boxes >behind it, and it has about 3000 connections right now and a load of 0.04. >50% of CPU time is used by the System, indicating netfilter. Perhaps your >users are very busy? Chris, I'm interested in why your 50 users generate 3000 connections. We have about 1200 machines behind a stateful iptables box which has a 1GHz cpu with 128Mb mem. Of these 1200, probably < two-thirds ever connect to the outside world, (e.g. right now wc -l '/proc/net/ip_conntrack' shows 1221 entries). I had no idea how to estimate the potential load on such a box, but this box also does NAT and some routing (we're gradually moving ourselves to private ip space) and I've never seen it even blink in terms of load. I run an idle process (a loopstop) at 'nice' 19, and top always shows this at 99% cpu. We have a 100Mb link to Janet and regularly achieve wire-speed transfers for things like ftp between us and fast nearby sites, and again, cpu-load is essentially zero during these. I realise that different iptables activities will present different cpu loads (packet rate, number of entries in the tables, number of active connections etc) but do you have any feel for which of these is the most costly? Cheers, Terry Terry Horsnell (tsh@xxxxxxxxxxxxxxxxx) I.T. Manager Medical Research Council Lab of Molecular Biology Hills Road CAMBRIDGE CB2 2QH U.K. Phone: +44 (0)1223 248011 Fax: +44 (0)1223 213556
