On Monday 2011-12-05 01:07, Leo Cavaille wrote: >Le Sun, Dec 04, 2011 at 10:09:07PM +0100, Jan Engelhardt a écrit : >> >2) These ~62k rules are not really significant for the load of my >> >firewall. But unfortunately, I had sometimes in my tests to manage some big >> >failures, where an iptables command (-Z, -A or -L) is stuck on the system >> >and then one of my cores is used at 100% and the load increases, and generally >> >I get this kernel alert : >> >http://pastebin.com/F1DL7ZZT >> >> Keep in mind that the ruleset is replaced for each HW thread and thus >> puts big requirements on memory available; as such though, I would have >> expected an OOM message rather than a Unable To Handle Kernel Paging >> Request. > >I had the chance to see a 'top' running when crashing and the memory (I >got plenty =16GB) was only used about 1/4. You won't see this in top, because the alloc-dealloc cycle is most likely faster than top's interval. http://www.spinics.net/lists/netfilter/msg51895.html >But the CPUs are used at full capacity ! Do you know if it is SW or HW >issue ? A layer-8 issue. To traverse 62000 rules just for a single packet requires time (which is why it's even more important to go the logarithmic way). >It could be a coincidence but my clock is running crazy. I have got some >huge offsets recently and I am trying to solve this other issue right >now. (AFAIK there is no reason it could be link to the iptables kernel >paging request) Wouldn't know, but report it to linux-kernel@. I did not keep track of timer issues (since I did not have any). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
