Re: ulog dropping packets when rate is 4000 packets/sec or more

Eric Leblond <eric@xxxxxxxxx> · Wed, 09 Sep 2015 08:51:35 +0200

Hello,

Le 9 sept. 2015 8:27 AM, Akshat Kakkar <akshat.1984@xxxxxxxxx> a écrit :
>
> On Mon, Sep 7, 2015 at 5:45 PM, Akshat Kakkar <akshat.1984@xxxxxxxxx> wrote: 
> > Hi! 
> > 
> > I am using JSON plugin of ULOG to log iptables traffic. When the input 
> > rate  is arond 4000 packets/sec, ulog is not logging all the packets. 

Please use nflog instead. Ulog has been removed from recent kernel.

> > At 4000 pkts/sec, it drops around 0.1 % of pkts. 
> > At 5000 pkts/sec, it drops around 2.4% of pkts. 
> > At 6000 pkts/sec, it drops around 3.67% of pkts. 
> > At 15000 pkts/sec, it drops around 16.7% of pkts. 
> > 
> > Is this expected? or am I missing something. 

This is expected, there is a performance cost in logging.

Some ways to try to improve this:
 - use nflog batch feature (iptables/nftables option)
 - increase nfnetlink buffer size (ulogd conf)
 - write json file to a faster disk (I doubt this is the key point here)

BR,

>
> Anybody? Regit? 
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in 
> the body of a message to majordomo@xxxxxxxxxxxxxxx 
> More majordomo info at  http://vger.kernel.org/majordomo-info.html 
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥