Yenya's World

Wed, 16 Nov 2005

IP conntrack testing

We have a filtering router running Linux, which has around 1400 iptables rules, and multiple gigabit interfaces. For a long time I wanted to explore newer features of Netfilter, such as IP connection tracking (and the raw table with NOTRACK target), ulogd, etc.

On Saturday I have booted the new kernel with ip_conntrack, and the whole set of other Netfilter bells and whistles. I have not played with it so far, but the connection tracking is on, and it seems it had no significant performance impact on the server itself:

Packets per second CPU usage Connections tracked

The above graphs show values of packets per second routed, CPU usage (system time and user+system time), and number of connections. The new kernel with conntrack support is on since Saturday evening.

Section: /computers (RSS feed) | Permanent link | 0 writebacks


Yenya's World: Linux and beyond - Yenya's blog.


RSS feed

Jan "Yenya" Kasprzak

The main page of this blog



Blog roll:

alphabetically :-)