On Tue, 14 Jul 2009, Vects wrote: > I'm using iptables/ipsets on busy linux firewall, this firewall handles > 300-400 Mb/s during the working hours, time to time I see significant > traffic drop and ksoftirqd/1 uses 100% cpu, in this situation I do > stop/start iptables, after that network traffic and ksoftirqd returned > to be normal. > First I thought this is a problem with network card driver, changing the > driver didn't help, then I found that it depends from the number of > ipsets in iptables. How did you verify that? What kind of sets do you use? > I'm using iptables 1.4.4 and ipset 3.0, I tested it on centos with > original kernel and custom compiled 2.6.31, the same result. > > There's an output of ifconfig > > eth0 Link encap:Ethernet HWaddr 00:19:BB:2D:98:D4 > inet addr:x.x.x.x Bcast:x.x.x.x Mask:255.255.255.248 > inet6 addr: fe80::219:bbff:fe2d:98d4/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:34773084524 errors:0 dropped:19709680 overruns:0 frame:0 > TX packets:26672945752 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:3000 > RX bytes:34484441962468 (31.3 TiB) TX bytes:7277712977419 (6.6 TiB) > Interrupt:185 Memory:f8000000-f8012800 It'd be good to know the type of the network card and any settings to tune the driver or the stack. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
