On Thu, Dec 11, 2003 at 09:47:25PM -0800, Kishore Dharmavaram wrote: > Hi All, > > I find that after inserting "iptable_nat" module on my RH9.0(2.4.20-19.9) > box, session-setup(ip_conntrack) performance gets very bad. yes, that's true. I think we cannot state often enogh: DO NOT load iptable_nat if you don't need nat. > I am wondering why "iptable_nat" is slowing doing the box so much when I > don't have any NAT rules defined. NAT is inherently complex. and in order to support any kind of nat, every connection (even the non-nat'ed ones) need to be placed in two additional hash tables. If you just use conntrack, a single hash table is sufficient.. > Do you guys know of any netfilter patches made to address/fix this issue?. There is no way to 'address' this issue other than not using NAT. > Thanks, > Kishore -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00693.pgp
Description: PGP signature
