linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ron Peterson <rpeterso@MtHolyoke.edu>
To: linux-kernel@vger.kernel.org
Subject: Re: network / performance problems
Date: Wed, 14 Apr 2004 00:54:51 -0400 (EDT)	[thread overview]
Message-ID: <Pine.OSF.4.21.0404140047170.78613-100000@mhc.mtholyoke.edu> (raw)
In-Reply-To: <Pine.OSF.4.21.0404121056530.4091-100000@mhc.mtholyoke.edu>


On Mon, 12 Apr 2004, Ron Peterson wrote:

> I have another machine that's not in production yet running 2.6.5.  I'm
> adopted the habit of compiling netfilter stuff as modules, but I'll
> statically link everything and run it that way to see what I can see.

Results here:

http://depot.mtholyoke.edu:8080/tmp/tap-stow/2004-04-14/

The problem persists.  To the best of my knowledge, starting with kernel 
version 2.4.21, and including 2.6 series kernels, if you statically link
netfilter code, and use iptables to set up connection tracking rules (as 
below), ksoftirqd will consume increasing cpu%, and ping latencies
will grow.  Eventually the machine will be unuseable.


#! /bin/sh

IPTABLES=/usr/local/sbin/iptables

IFPUB=eth0
IFPRIV=eth1
PUBIP=...
PUBNET=...
PRIVIP=...
PRIVNET=...

# The default policy for each chain is to DROP the packet.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Flush existing rules for all chains.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X

# Allow this host to establish new connections.  Otherwise only accept
# established connections.
$IPTABLES -A OUTPUT --match state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ping from on-campus
$IPTABLES -A INPUT -i $IFPUB -s $PUBNET --protocol icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i $IFPRIV -s $PRIVNET --protocol icmp --icmp-type echo-request -j ACCEPT

# Allow incoming ssh connections.
$IPTABLES -A INPUT --protocol tcp --destination-port 22 -j ACCEPT

# Allow incoming https connections.
# $IPTABLES -A INPUT --protocol tcp --destination-port 443 -j ACCEPT

# Allow Samba/SMB/NetBIOS
$IPTABLES -A INPUT --protocol tcp --destination-port 137:139 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --destination-port 445 -j ACCEPT

# Allow CUPS
$IPTABLES -A INPUT --protocol tcp --destination-port 631 -j ACCEPT

# Allow this host to talk to itself.
$IPTABLES -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
$IPTABLES -A INPUT -s $PUBIP -d $PUBIP -j ACCEPT
$IPTABLES -A INPUT -s $PRIVIP -d $PRIVIP -j ACCEPT

_________________________
Ron Peterson
Network & Systems Manager
Mount Holyoke College


      reply	other threads:[~2004-04-14  4:54 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-02-21  2:44 network / performance problems Ron Peterson
2004-02-21  3:08 ` Andrew Morton
2004-02-21 14:36   ` Ron Peterson
2004-02-22 17:32     ` Ron Peterson
2004-02-22 21:25       ` Ron Peterson
2004-02-23 16:32         ` Ron Peterson
2004-02-23 22:17           ` Ron Peterson
2004-02-23 22:54             ` Ron Peterson
2004-02-24  4:28             ` Ron Peterson
2004-02-24 14:26               ` Ron Peterson
2004-02-24 18:22                 ` David S. Miller
2004-02-24 18:42                   ` Ron Peterson
2004-02-24 18:47                     ` David S. Miller
2004-02-24 19:35                       ` Ron Peterson
2004-02-24 23:20                         ` Andrew Morton
2004-02-25 19:16                 ` Ron Peterson
2004-03-04 19:24                   ` Ron Peterson
2004-03-04 19:29                     ` David S. Miller
2004-03-04 19:39                       ` Ron Peterson
2004-03-06 14:55                     ` Ron Peterson
2004-03-06 15:00                       ` Ron Peterson
2004-03-09  7:34                       ` David S. Miller
2004-03-09 15:01                         ` Ron Peterson
2004-03-09 21:11                           ` Ron Peterson
2004-04-12 15:03                     ` Ron Peterson
2004-04-14  4:54                       ` Ron Peterson [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.OSF.4.21.0404140047170.78613-100000@mhc.mtholyoke.edu \
    --to=rpeterso@mtholyoke.edu \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).