If you need iptables and don't want to turn off the conntrack module, you can try the NOTRACK target in the PREROUTING chain.
If you set notrack on the ports handled by haproxy (e.g. 80) none of that traffic should be recorded in the tables. iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK /Stefan Date: Tue, 6 Oct 2009 10:25:41 -0700 Subject: Kernel tuning recommendations From: [email protected] To: [email protected] We’ve completed a move to Rackspace Cloud and are now using HAproxy as our load balancer. Haproxy is a Phenomenal piece of software. The primary issue I’ve noticed from haproxy is that my backends are frequently going DOWN/UP, and we’re having some long request times as well as serving occaisional 504’s. I’ve been doing my research and understand that I need to do some system tuning via sysctl to get things running properly. All references have different reccomendations on what parameters to tune, and I’m a bit hesitant to copy/paste from multiple resources. Is there a baseline set of recommended tunings that I can apply as a first response before digging into the gritty details? I’ve attached a bunch of details below. Thanks for any help you can provide. Michael ------- [mmar...@w1 w1]$ cat /etc/redhat-release CentOS release 5.3 (Final) [mmar...@w1 w1]$ uname -a Linux w1.gamesradar.com 2.6.24-23-xen #1 SMP Mon Jan 26 03:09:12 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux [mmar...@w1 w1]$ /usr/sbin/haproxy -v HA-Proxy version 1.3.18 2009/05/10 Here’s what I’m finding in /var/log/messages: Oct 2 23:12:38 w1 kernel: [1556670.291082] printk: 482 messages suppressed. Oct 2 23:12:38 w1 kernel: [1556670.291102] nf_conntrack: table full, dropping packet. Oct 3 01:34:49 w1 kernel: [1566552.616316] possible SYN flooding on port 80. Sending cookies. Oct 3 03:19:52 w1 kernel: [1572838.886342] printk: 294 messages suppressed. [mmar...@w1 w1]$ sudo /sbin/sysctl -a | grep ^net net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_retrans_collapse = 1 net.ipv4.ip_forward = 0 net.ipv4.ip_default_ttl = 64 net.ipv4.ip_no_pmtu_disc = 0 net.ipv4.ip_nonlocal_bind = 0 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_max_orphans = 65536 net.ipv4.tcp_max_tw_buckets = 180000 net.ipv4.ipfrag_high_thresh = 262144 net.ipv4.ipfrag_low_thresh = 196608 net.ipv4.ip_dynaddr = 0 net.ipv4.ipfrag_time = 30 net.ipv4.tcp_keepalive_time = 7200 net.ipv4.tcp_keepalive_probes = 9 net.ipv4.tcp_keepalive_intvl = 75 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_fin_timeout = 60 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_abort_on_overflow = 0 net.ipv4.tcp_stdurg = 0 net.ipv4.tcp_rfc1337 = 0 net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.ip_local_port_range = 32768 61000 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_errors_use_inbound_ifaddr = 0 net.ipv4.route.min_delay = 2 net.ipv4.route.max_delay = 10 net.ipv4.route.gc_thresh = 262144 net.ipv4.route.max_size = 4194304 net.ipv4.route.gc_min_interval = 0 net.ipv4.route.gc_min_interval_ms = 500 net.ipv4.route.gc_timeout = 300 net.ipv4.route.gc_interval = 60 net.ipv4.route.redirect_load = 5 net.ipv4.route.redirect_number = 9 net.ipv4.route.redirect_silence = 5120 net.ipv4.route.error_cost = 250 net.ipv4.route.error_burst = 1250 net.ipv4.route.gc_elasticity = 8 net.ipv4.route.mtu_expires = 600 _________________________________________________________________ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
