> I'm doing some tcp benches on a netfilter enabled box and noticed > huge and surprising perf decrease when loading iptable_nat module. Rather similar to the results I posted about a week ago.
> - Another (old) question: why are conntrack or nat active when there are > no rules configured (using them or not)? I noticed this too. After a test using conntrack the next test without "using" conntrack would perfom poorly unless I did rmmod. > Since in my test, each connection is ephemeral (<10ms) ... When all works correctly, the end of each connection should be noticed by conntrack and the connection removed from the table, right? In which case the table should never get very full. So I'm guessing that large number of entries in conntrack table is evidence that packets are being lost. In particular, if the syn packet arrives but is never forwarded, you get one of those conntrack entries where conntrack thinks (incorrectly) the syn has been forwarded so it's waiting for the reply. Ideally the entry should not be added to the table until the packet goes out. Just wondering, how did you measure cpu load?
