[lvs-users] NFCT and PMTU

Julian Anastasov ja at ssi.bg
Tue Sep 11 00:18:30 BST 2012


On Mon, 10 Sep 2012, lvs at elwe.co.uk wrote:

> I will give this a go tomorrow. I just need to find a client on a network 
> with a <1500 byte MTU! I guess I will have to make one.

	I remember that I test forwarding of ICMP from
client to real server by adding REJECT rule in client box,
for example:

test_client# iptables -I INPUT -p tcp -s VIP --sport 80 -j REJECT

	It will reject the SYN-ACK packet.

	The default message is port-unreachable but it
does not matter, tcpdump will show if message is
correctly forwarded to real server.

> Under CentOS 3 (traditional interrupts) with SMP affinity set to all cores 
> (or rather half the cores for the external NIC and half for internal NIC) 
> load scaled linearly until it fell off a cliff and load hit 100% and more 
> generated traffic resulted in no more throughput (lots of Xoffs). I also 
> have some old data showing NFCT improving performance on CentOS 3.

	So, keeping netfilter conntracks (conntrack=1) uses
less CPU cycles than creating conntracks with every
packet (conntrack=0). I hope you have large nf_conntrack_max
value for the conntrack=1 case.

> Looking at my monitoring graphs for one director when I flipped conntrack 
> from 1 to 0 overall traffic in the peak hour stayed at 1.4Gb while softirq 
> load on the busiest core rose from around 43% to around 62%. Average 
> sotirq load across all cores rose from 27% to 40%. I realise these figures 
> don't tie up with those higher up, but this is a different director with a 
> different mix of services. I have another with no email doing 1.1Gb of 
> traffic and only 15% softirq on the busiest core. Email is expensive to 
> process!


Julian Anastasov <ja at ssi.bg>

More information about the lvs-users mailing list