On Tue, 2009-07-14 at 16:15 +0700, Victor Safronov wrote: > Vects пишет: > > Hello there, > > I'm using iptables/ipsets on busy linux firewall, this firewall handles > > 300-400 Mb/s during the working hours, time to time I see significant > > traffic drop and ksoftirqd/1 uses 100% cpu, in this situation I do > > stop/start iptables, after that network traffic and ksoftirqd returned > > to be normal. > > First I thought this is a problem with network card driver, changing the > > driver didn't help, then I found that it depends from the number of > > ipsets in iptables. > > > > I'm using iptables 1.4.4 and ipset 3.0, I tested it on centos with > > original kernel and custom compiled 2.6.31, the same result. > > > > There's an output of ifconfig > > > > eth0 Link encap:Ethernet HWaddr 00:19:BB:2D:98:D4 > > inet addr:x.x.x.x Bcast:x.x.x.x Mask:255.255.255.248 > > inet6 addr: fe80::219:bbff:fe2d:98d4/64 Scope:Link > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > RX packets:34773084524 errors:0 dropped:19709680 overruns:0 frame:0 > > TX packets:26672945752 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:3000 > > RX bytes:34484441962468 (31.3 TiB) TX bytes:7277712977419 (6.6 TiB) > > Interrupt:185 Memory:f8000000-f8012800 > > > > > > What else I can do in order to solve that problem? I'll appreciate any > > input. > > > > Thanks, Serge. > > > You can use oprofile to determine what exactly 'eats' your processor time. > This problem is well known for me. This is a production server, I can't do anything on it. You said you familiar with that problem, what was a reason in your case? Thanks, Serge. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
