On 07.05.2015 14:30, Vincent Bernat wrote: > ❦ 7 mai 2015 13:11 +0100, Neil - HAProxy List > <[email protected]> : > >> I'm after a 'definitivish' reference for setting up conntrack >> >> I've been hit by having too small table on some new VMs as ubuntu, by >> default, sizes the table by memory size. >> >> Before that I was completely ignorant of the role of conntrack >> >> Having forced the size got rid off that but leaves me thinking I need >> to understand this better and do I want to track incoming http >> connections at all. Do I just want to conntrack http connections to >> backends? > > Do you have a firewall? Otherwise, just don't load the conntrack related > modules (nf_conntrack and friends) or put a simple "iptables -t raw -I > PREROUTING -j NOTRACK" command in a start script. >
Has anyone actually verified that in a firewall case NOTRACK makes things faster? The 3.15 kernel has apparently seen big improvements in that area: http://netoptimizer.blogspot.de/2014/04/full-scalability-for-netfilter.html I'm wondering if it might actually be faster to use conntrack and have an accept rule for established connections first in the FORWARD chain as opposed to using NOTRACK and then potentially having all packets checked by multiple iptables rules. Regards, Dennis
