Large number of invalid packets detected

Aleksandar Lazic al-nginx at none.at
Tue May 20 09:47:41 MSD 2008


On Son 18.05.2008 07:30, Rt Ibmer wrote:
>Aleks wrote:
>>Is it possible to deactive the iptables, due the fact that a lot of
>>the high performance setups out there have seen that the connection
>>tracking with iptables have really bad performance impacts?
>
>Thanks for your reply.  Can you elaborate on what the "really bad
>performance impacts" are on this? 

http://people.netfilter.org/kadlec/nftest.pdf

--- on page 6
.
.
Figure 7, 8 displays the results on conntrack: the maximal performance
halved compared to the plain routing case and the maximal new connection
rate is around 25,000 new connections/s, while the packet rate is about
330-340,000 pps. It is clear that connection tracking is an expensive
operation, which requires a lot of resources from the system.
.
.
---

BR

Aleks





More information about the nginx mailing list