On 29/04/2012 20:01, Willy Tarreau wrote:
What I could suggest would be :
- reduce /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait to 30s
- increase /proc/sys/net/netfilter/nf_conntrack_max to 524288 conns.
- increase hashsize to 131072 buckets.
This will help you support up to 8700 conn/s without trouble. You just
need to scale the latter two settings accordingly if you plan to go higher.
You could also disable connection tracking all together using the
NOTRACK target in the "raw" table.
iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
iptables -t raw -A PREROUTING -p tcp --dport 443 -j NOTRACK
Note however that you will no longer be able to carry out any connection
tracking logic on matched packes, including no NAT, syncookie
protection, etc.
Jinn
