Patrick McHardy a écrit :
Guillaume Leccese wrote:
Patrick McHardy a écrit :
On a 2.6.19.1 kernel box (nfct patch from Julian
http://www.ssi.bg/~ja/nfct/) we have a strange performance problem.
When a scan occur on a /24 network handled by the firewall (on a
filtered
port) packets dropping produces a syslog output. During the logging
process,
the traffic is at a frozen state (2 seconds to 30 seconds,
depending of the
number of ports scanned).
[...]
When output to syslog is not effective, there is no performance
decrease.
More details about the configuration:
- Linux 2.6.19.1, module activate, iptables not in module
- e1000, tygon 3 and sundance drivers in module
- bonding device in module
- 2x e1000, driver v7.6.9 stable, in bonding
- Keepalived 1.1.12-1, Debian apt version
Are you using serial console?
Hi Patrick,
Do you ask me if the serial console is compiled in the kernel or if
I'm using serial console for remote control ?
Whether you use serial console for logging.
1/ yes, see the .config in attachment
2/ no, we use ssh
In case you're not using the serial console for logging, can you
reproduce it without Julian's patches?
I can't use actually working environment without Julian's patches.
Tomorrow, I will try to reproduce on a test environment without the
patch, but I not sure I can achieve that because we can't reach the same
network load.
Thx for your help (and sorry for my english ^^).
Guillaume
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
