Hello,On Tue, 17 Mar 2020, Marco Lorig wrote: > Am 17.03.2020 um 14:23 schrieb Julian Anastasov: > > > > Yes, when nf_conntrack is used it would be better to > > set /proc/sys/net/ipv4/vs/conntrack to 1, as reported by different > > users, for example: > > > > https://marc.info/?t=134728825000003&r=1&w=2 > > > > In this case, you have to increase nf_conntrack_max sysctl var > > to allow the desired number of conntracks to be created. > > > Ok, i will give it a try. nf_conntrack_max is set to 262144 (default?). > I would set it to 1024000. Do you have any recommondation for this > value? ip_vs_conn shows 18753 entries. Make sure nf_conntrack_count does not reach the nf_conntrack_max value. > > Another option is to use NOTRACK to disable nf conntracks just for > > the IPVS traffic: > > > > iptables -t raw -A PREROUTING -p tcp -d VIP --dport VPORT -j CT --notrack > > > > For local clients use -A OUTPUT -o lo > > As we do not use any iptables rule or connection tracking (except for > ipvs) on the loadbalancer, could it be an option for performance > optimization to disable nf_conntrack (like ip_conntrack in the past) or > is it essentially needed for proper ipvs functionality? If you do not use iptables rules, you can disable it, it is not needed for the IPVS traffic. Only IP_VS_NFCT, IP_VS_FTP and IP_VS_PE_SIP depend on it. But as IP_VS_NFCT is not a separate module, may be you have to compile IPVS without these features. Regards -- Julian Anastasov <j...@ssi.bg> _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
