> I hate the way this works in iptables), particularly with the MSSQL
> worm that burst out to the 'net that one Friday night several few
> months ago. Adding a single match udp port, DROP rule to PREROUTING
> chain made the load go back down to normal levels. The same rule in
> the INPUT/FORWARD chain had no affect on the CPU utilization (still
> saturated).
Yes, that's exactly the phenomenon, but operators traditionally
attributed it to other things running on the router (such as
accounting).
> Under normal operation, it looks like most load we are seeing is in fact
> normal route lookups. We run BGP peering, and so there is a lot of
> routes in the table.
You should aggregate the routes before you load them into the kernel.
Hardly anybody seems to do this, but usually, you have much fewer
interfaces than prefixes 8-), so this could result in a huge win.
Anyway, using data structures tailored to the current Internet routing
table, it's certainly possible to do destination-only routing using
half a dozen memory lookups or so (or a few indirect calls, I'm not
sure which option is cheaper).
> I will try playing more with this code and look at your patch and paper.
Well, I didn't write the paper, I found it after discovering the
problem in the kernel. This complexity attack has been resolved, but
this won't help people like you who have to run Linux on an
uncooperative network.
The patch I posted won't help you as it increases the load
considerably unless most of your flows consist of one packet. (And
there's no need for patching, you can go ahead and just change the
value via /proc.)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/