Yenya's World

Wed, 16 Nov 2005

IP conntrack testing

We have a filtering router running Linux, which has around 1400 iptables rules, and multiple gigabit interfaces. For a long time I wanted to explore newer features of Netfilter, such as IP connection tracking (and the raw table with NOTRACK target), ulogd, etc.

On Saturday I have booted the new kernel with ip_conntrack, and the whole set of other Netfilter bells and whistles. I have not played with it so far, but the connection tracking is on, and it seems it had no significant performance impact on the server itself:

Packets per second CPU usage Connections tracked

The above graphs show values of packets per second routed, CPU usage (system time and user+system time), and number of connections. The new kernel with conntrack support is on since Saturday evening.

Section: /computers (RSS feed) | Permanent link | 0 writebacks

0 replies for this story:

Reply to this story:

URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Key image: key image (valid for an hour only)
Key value: (to verify you are not a bot)


Yenya's World: Linux and beyond - Yenya's blog.


RSS feed

Jan "Yenya" Kasprzak

The main page of this blog



Blog roll:

alphabetically :-)