Re: Using iptables with high volume mail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


----- Original Message ----
> From: Michele Petrazzo - Unipex <michele.petrazzo@xxxxxxxxx>
> To: John Little <jlittle_97@xxxxxxxxx>
> Cc: Thomas Jacob <jacob@xxxxxxxxxxxxx>; Gáspár Lajos <swifty@xxxxxxxxxxx>; netfilter@xxxxxxxxxxxxxxx
> Sent: Friday, October 2, 2009 11:08:13 AM
> Subject: Re: Using iptables with high volume mail
> 
> John Little wrote:
> >> What matters most is what happens in each time slice, not so much
> >> how many connections you have in the connection hash table (you can
> >> tune that table with with
> >> /proc/sys/net/ipv4/netfilter/ip_conntrack_max and
> >> /sys/module/ip_conntrack/parameters/hashsize).
> >> 
> 
> Except that if the table fill up you'll see some "table full" kernel
> messages and the connections will be refused!
> 
> >> However, emails per time should be pretty much the same as
> >> connections per time, unless you open several tcp connections over
> >> the nat box for each email, and I see no reason why you would need
> >> to do that ;)
> > 
> > We have some stats now:
> > Packets per second:  avg 6221 max 41,810
> > Connections peak: avg 7263  max 22,981
> > 
> > New connections per second: avg 102 max 1029
> 
> > If I allocate 500 bytes per connection at the max
> > connections I would need ~87Mb + machine overhead.  That's not much
> > in today's world of servers.
> 
> 
> Only for add some real numbers that hope pacify your heart, with the
> lnstat tool (lnstat -f ip_conntrack) I have here:
> 
> 100k entries into ip_conntrack, about 700 new conn/sec, 8k iptables
> rules, 0.5/0.8 cpu load, with a xeon 4 cores and 2 gb ram and e1000e
> card and no problems at all.
> The unique think that I can say you to do with this cards it's to
> _update_ the drivers with the last one found on the site because that on
> the kernel vanilla aren't so stable and can (who say for sure?) *oops*
> your server.
> 
> > Thanks, John
> > 
> 
> Michele
Thomas, Michele and Gaspar,
That is some good information.  From what I can see what you guys are doing is in the realm of where we are with our connections per second, machine sizes/resources etc.  Thank you all for your responses.  We are going to compile the information that we have learned with your help and present it to management.  It certainly looks like the way we want to go.

Thank you very much for your help!
John


      
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux