Here is the adjusted IPv4 settings I use on my haproxy box - I picked
these up from around the web, and they seem to work for me, not that
they are in use on a particularly high volume site currently.
Chris
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 1024 65023
net.ipv4.tcp_max_syn_backlog = 10240
net.ipv4.tcp_max_tw_buckets = 400000
net.ipv4.tcp_max_orphans = 60000
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_max_syn_backlog = 45000
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_rmem = 4096 8192 16384
net.ipv4.tcp_wmem = 4096 8192 16384
net.ipv4.tcp_mem = 65536 98304 131072
net.core.somaxconn = 40000
net.core.netdev_max_backlog = 40000
Quoting Michael Marano <[email protected]>:
Subsequent load tests proved me wrong. I¹m still getting the nf_conntrack
messages. Perhaps I¹ve misconfigigured my iptables rules?
# bits of /var/log/messages
Oct 6 21:58:40 w1 kernel: [3718555.091684] printk: 2 messages suppressed.
Oct 6 21:58:40 w1 kernel: [3718555.091705] nf_conntrack: table full,
dropping packet.
Oct 6 21:58:41 w1 kernel: [3718290.353966] device eth0 entered promiscuous
mode
Oct 6 21:58:43 w1 kernel: [3718558.070993] nf_conntrack: table full,
dropping packet.
Oct 6 21:58:44 w1 kernel: [3718559.097679] nf_conntrack: table full,
dropping packet.
I¹ve got this in a shell script:
----
#!/bin/sh
sudo /sbin/iptables -F
sudo /sbin/iptables -A INPUT -i lo -j ACCEPT
sudo /sbin/iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/iptables -A OUTPUT -j ACCEPT
# tell iptables to skip tracking on ports haproxy is monitoring
sudo /sbin/iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
sudo /sbin/iptables -t raw -A PREROUTING -p tcp --dport 8080 -j NOTRACK
# ... Rules to allow stuff...
sudo /sbin/iptables -A INPUT -j REJECT
sudo /sbin/iptables -A FORWARD -j REJECT
------
But then when I list my tables, I¹m not seeing anything about the NOTRACK
rules.
-----
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with
icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
dpt:22
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
-----
Michael Marano
From: Michael Marano <[email protected]>
Date: Tue, 06 Oct 2009 13:49:02 -0700
To: Stefan Johansson <[email protected]>, <[email protected]>
Conversation: Kernel tuning recommendations
Subject: Re: Kernel tuning recommendations
Stefan,
That seems to have eliminated any log messages in my staging environment
under a load test. I think that will do the trick. Thanks for your help.
Any general recommendations for sysctl settings would still be appreciated.
This is the first time I¹ve had to tune the kernel settings so any guidance
will help.
Michael Marano
From: Stefan Johansson <[email protected]>
Date: Tue, 6 Oct 2009 22:27:49 +0200
To: Michael Marano <[email protected]>, <[email protected]>
Subject: RE: Kernel tuning recommendations
iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
