Netfilter conntrack performance tweaking, v0.6

           Netfilter conntrack performance tweaking, v0.6
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

             Hervé Eychenne <rv _AT_ wallfire _DOT_ org>

This document explains some of the things you need to know for netfilter
conntrack (and thus NAT) performance tuning.

Latest version of this document can be found at:
http://www.wallfire.org/misc/netfilter_conntrack_perf.txt

------------------------------------------------------------------------------

There are two parameters we can play with:
- the maximum number of allowed conntrack entries, which will be called
  CONNTRACK_MAX in this document
- the size of the hash table storing the lists of conntrack entries, which
  will be called HASHSIZE (see below for a description of the structure)

CONNTRACK_MAX is the maximum number of "sessions" (connection tracking entries)
that can be handled simultaneously by netfilter in kernel memory.

A conntrack entry is stored in a node of a linked list, and there are several
lists, each list being an element in a hash table.  So each hash table entry
(also called a bucket) contains a linked list of conntrack entries.
To access a conntrack entry corresponding to a packet, the kernel has to:
- compute a hash value according to some defined characteristics of the packet.
  This is a constant time operation.
  This hash value will then be used as an index in the hash table, where a
  list of conntrack entries is stored.
- iterate over the linked list of conntrack entries to find the good one.
  This is a more costly operation, depending on the size of the list (and on
  the position of the wanted conntrack entry in the list).

The hash table contains HASHSIZE linked lists.  When the limit is reached
(the total number of conntrack entries being stored has reached CONNTRACK_MAX),
each list will contain ideally (in the optimal case) about
CONNTRACK_MAX/HASHSIZE entries.

The hash table occupies a fixed amount of non-swappable kernel memory,
whether you have any connections or not.  But the maximum number of conntrack
entries determines how many conntrack entries can be stored (globally into the
linked lists), i.e. how much kernel memory they will be able to occupy at most.


This document will now give you hints about how to choose optimal values for
HASHSIZE and CONNTRACK_MAX, in order to get the best out of the netfilter
conntracking/NAT system.

Default values of CONNTRACK_MAX and HASHSIZE
============================================

By default, both CONNTRACK_MAX and HASHSIZE get average values for
"reasonable" use, computed automatically according to the amount of
available RAM.

Default value of CONNTRACK_MAX
------------------------------

On i386 architecture, CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 =
RAMSIZE (in MegaBytes) * 64.
So for example, a 32 bits PC with 512MB of RAM can handle 512*1024^2/16384 =
512*64 = 32768 simultaneous netfilter connections by default.

But the real formula is:
CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (x / 32)
where x is the number of bits in a pointer (for example, 32 or 64 bits)

Please note that:
- default CONNTRACK_MAX value will not be inferior to 128
- for systems with more than 1GB of RAM, default CONNTRACK_MAX value is
  limited to 65536 (but can of course be set to more manually).

Default value of HASHSIZE
-------------------------

By default, CONNTRACK_MAX = HASHSIZE * 8.  This means that there is an average
of 8 conntrack entries per linked list (in the optimal case, and when
CONNTRACK_MAX is reached), each linked list being a hash table entry
(a bucket).

On i386 architecture, HASHSIZE = CONNTRACK_MAX / 8 =
RAMSIZE (in bytes) / 131072 = RAMSIZE (in MegaBytes) * 8.
So for example, a 32 bits PC with 512MB of RAM can store 512*1024^2/128/1024 =
512*8 = 4096 buckets (linked lists)

But the real formula is:
HASHSIZE = CONNTRACK_MAX / 8 = RAMSIZE (in bytes) / 131072 / (x / 32)
where x is the number of bits in a pointer (for example, 32 or 64 bits)

Please note that:
- default HASHSIZE value will not be inferior to 16
- for systems with more than 1GB of RAM, default HASHSIZE value is limited
  to 8192 (but can of course be set to more manually).

Reading CONNTRACK_MAX and HASHSIZE
==================================

Current CONNTRACK_MAX value can be read at runtime, via the /proc filesystem.

Before Linux kernel version 2.4.23, use:
# cat /proc/sys/net/ipv4/ip_conntrack_max

As of Linux kernel version 2.4.23, use:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
  (old /proc/sys/net/ipv4/ip_conntrack_max is then deprecated!)


文章整理：西部数码--专业提供域名注册、虚拟主机服务

http://www.west263.com

以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!