Re: Large number of invalid packets detected

Is it possible to deactive the iptables, due the fact that a lot of the
high performance setups out there have seen that the connection tracking
with iptables have really bad performance impacts?

Thanks for your reply. Can you elaborate on what the “really bad
performance impacts” are on this?

At this point, however, I am more concerned about whether indeed there
is some sort of problem with my hardware and/or software at some other
place (outside of iptables) that iptables has brought to light due to
its logging of this issue (which otherwise is invisible - in other words
it does not seem to impact people using the site).

Thanks.

Any idea why domain.com/index.html is not detected, when I visit:
http://www.domain.com/ ?

listen 80;
server_name www.domain.com;

location / {
root /var/www/html;
index index.html index.htm;

fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME
/var/www/html$fastcgi_script_name;
include fastcgi.conf;

}

Thanks.

On Sun, May 18, 2008 at 04:36:39PM -0400, Floren M. wrote:

fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME
/var/www/html$fastcgi_script_name;
include fastcgi.conf;

}

Because http://www.domain.com/ in this configuraiton is handled by
/var/www/html/index.php

Is index.html simple static file ?

On Son 18.05.2008 07:30, Rt Ibmer wrote:

Aleks wrote:

Is it possible to deactive the iptables, due the fact that a lot of
the high performance setups out there have seen that the connection
tracking with iptables have really bad performance impacts?

Thanks for your reply. Can you elaborate on what the “really bad
performance impacts” are on this?

http://people.netfilter.org/kadlec/nftest.pdf

— on page 6
.
.
Figure 7, 8 displays the results on conntrack: the maximal performance
halved compared to the plain routing case and the maximal new connection
rate is around 25,000 new connections/s, while the packet rate is about
330-340,000 pps. It is clear that connection tracking is an expensive
operation, which requires a lot of resources from the system.
.
.

BR

Aleks

On Sun, 2008-05-18 at 07:30 -0700, Rt Ibmer wrote:

Is it possible to deactive the iptables, due the fact that a lot of the
high performance setups out there have seen that the connection tracking
with iptables have really bad performance impacts?

It scales pretty well until getting well past 10k connections. I don’t
think this is a real concern in this case.

At this point, however, I am more concerned about whether indeed there
is some sort of problem with my hardware and/or software at some other
place (outside of iptables) that iptables has brought to light due to
its logging of this issue (which otherwise is invisible - in other
words it does not seem to impact people using the site).

I’d suspect hardware/firmware issues, either your server’s NIC (perhaps
not 100% Linux-supported?), your hosting company’s switch/router, or
even a bad cable. The forum you linked to is quite descriptive and
you’ll find that one poster (IPTables Friend 10:59 am on Nov. 10, 2007)
specifically mentions resolving this issue by reconfiguring an upstream
router that was doing packet-mangling.

Regards,
Cliff

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs