Home > Developer > Web Develop

Linux Tracking Connection NetFilter tuning

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

NetFilter Introduction

The NetFilter in the Linux kernel is a powerful state-based firewall with connection tracking (Conntrack) implementations. Conntrack is the core of NetFilter, and many of the enhanced features, such as address translation (NAT), content-based business identification (L7, layer-7 module) are based on connection tracking.

The Nf_conntrack module was introduced in Kernel 2.6.15 (released in 2006-01-03) to support IPv4 and IPv6, instead of IPv4-only ip_connktrack, to track the status of the connection for use by other modules.

Main parameter Introduction

# hash Table size (read-only) (64-bit system, 8G memory default 65536,16g doubled, and so on) net.netfilter.nf_conntrack_buckets # maximum number of trace connections, default Nf_conntrack_buckets * 4 Net.netfilter.nf_conntrack_maxnet.nf_conntrack_max
    • Note: Tracked connections are stored in a hash table, with 1 linked lists in each bucket (buckets), with a default length of 4KB
    • Note: NetFilter hash table is stored in kernel space, this part of memory cannot swap
    • Note: Hash table size 64-bit maximum number of connections/8 32 Maximum Connections/4
    • Note: The 32-bit system has a tracking chance of about 300 bytes.
    • Note: Under 64-bit, when Conntrack_max is 1048576,hashsize 262144, it accounts for up to 350 MB

Status View

1. find: Buckets hash table size, max maximum chance number of connections

# NetFilter the bucket and Max configuration when the module is loaded:sudo dmesg | grep conntrack
[6010550.921211] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
Results

2. Lookup: Hash Table usage

# The first 4 numbers are: Current number of active objects, total number of objects available, size of each object (bytes), pagination with at least 1 active objects grep conntrack/proc/slabinfo
NF_CONNTRACK_FFFFFFFF81AD9D40    865    918    4:tunables    0    0    0:slabdata      0
Results

3. Find: The number of connections currently being tracked

/proc/net/nf_conntrack | Wc-l

4. Track Connection Details

Cat/proc/net/nf_conntrack
IPv4     2 TCP      6 2 CLOSE src=100.116.203.128 dst=172.16.105.212 sport=62226 dport=8080 src=172.16.105.212 dst= 100.116.203.128 sport=8080 dport=62226 [assured] mark=0 zone=0 use=2------------------------------------------------ ------#  record format #  Network Layer protocol name, Network layer protocol number, Transport layer protocol name, Transport layer protocol number, number of seconds left before record expires, connection status (not all protocols are available)-------- ----------------------------------------------#  is followed by key=value or flag format, with up to 2 keys of the same name (such as SRC and DST) in 1 rows. The 1th occurrence comes from the request, and the 2nd appears from the response ------------------------------------------------------
Result Description

Connection Tracking Tuning

    • Calculation formula
    • Conntrack_max (maximum chance number of connections) = number of memory *1024*1024*1024/16384/2 = * * *
    • Buckets (hash table size) = CONNTRACK_MAX/4 = * * * (byte bytes)
    • Tracking number take up maximum memory size = Conntrack_max * (byte bytes) = * * * (byte bytes)

Note: If you can not turn off the firewall, the basic idea is to adjust the nf_conntrack_buckets and Nf_conntrack_max, adjust the small time-out period.
Note: In addition to the associated parameters, try to change one at a time, write down the default value, the effect is not obvious or worse to restore.

1. hash table bucket Size tuning

Note: Net.netfilter.nf_conntrack_buckets cannot be changed directly (error)

# Temporary effect echo 262144 >/sys/module/nf_conntrack/parameters/hashsize
------------------------------------------------------
# Restart permanently in effect new file:/etc/modprobe.d/

2, the maximum number of tracking connections modified tuning

# temporary effect sudo sysctl-w net.netfilter.nf_conntrack_max=1048576-W net.nf_conntrack_max=1048576-------- ----------------------------------------------#  Permanent Entry #net.netfilter.nf_ conntrack_max=1048576Net.nf_conntrack_max=1048576#  If you want to apply settings in the configuration file right away:sudo sysctl-p/etc/ Sysctl.conf

3. Response Time Tuning

#temporary entry into force#the last 1 states of the active party. Default 120 secondssudo sysctl-w net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30sudo sysctl-W net.netfilter.nf_conntrack_tcp_timeout_time_wait=30#close_wait is the passive side receives the fin ack, then goes to the Last_ack fin, unless the program is written with a problem, normally this state of the duration is very short. #默认 60 Secondssudo sysctl-w net.netfilter.nf_conntrack_tcp_timeout_close_wait=15#theoretically not so long, not less than net.ipv4.tcp_keepalive_time on the line. Default 432,000 seconds (5 days)sudo sysctl-w net.netfilter.nf_conntrack_tcp_timeout_established=300-------------------------------------------- ---------#Permanent Effect#modifying kernel configuration files (/etc/sysctl.conf)Net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30net.netfilter.nf_conntrack_tcp_timeout_time_wait=30net.netfilter.nf_conntrack_tcp_timeout_close_wait=15net.netfilter.nf_conntrack_tcp_timeout_established=300#if you want to apply the settings in the configuration file right away:sudo sysctl-p/etc/sysctl.conf

Disabling the connection tracking module

Note: As long as the iptables and the state module are used, it is not appropriate to turn off netfilter, otherwise these rules will be invalidated. 

# examples of conditions # turning off the netfilter will not get the status, causing each request to be checked from beginning to end, affecting performance: # For example, this default rule (usually written in 1th or very forward position):-A input-m State--state established,related-j ACCEPT

Disable step

1, finishing confirm that the module will not affect the function after closing

#1#Find related Modulessudo lsmod | Egrep"Ip_table|iptable|nat|conntrack"#2#kill the rules with-t NAT,-M state#or delete the corresponding content in/etc/sysconfig/iptables#View Iptables Rulessudo iptables-Save#3#Edit iptables configuration file#Locate the Iptables_modules and delete the module (if any) related to Conntrack.sudo vim/etc/sysconfig/iptables-Config#4#Stop Iptables .#Centos 6sudo service iptables stop#Centos 7sudo systemctl stop iptables

2, remove the relevant modules

sudo rmmod iptable_natsudo rmmod ip6table_natsudo rmmod nf_defrag_ipv4sudo rmmod Nf_defrag_ipv6 # Remove related modules sudo rmmod nf_natsudo rmmod nf_nat_ipv4sudo rmmod nf_nat_ipv6sudo rmmod nf_conntracksudo rmmod Nf_conntrack_ipv4sudo Rmmod nf_conntrack_ipv6sudo rmmod xt_conntrack--------------------------#sudo modprobe Iptable_natsudo modprobe ip6table_natsudo modprobe nf_defrag_ipv4sudo modprobe nf_defrag_ipv6sudo modprobe Nf_natsudo Modprobe nf_nat_ipv4sudo modprobe nf_nat_ipv6sudo modprobe nf_conntracksudo modprobe nf_conntrack_ipv4sudo modprobe nf_ Conntrack_ipv6sudo modprobe Xt_conntrack

Linux Tracking Connection NetFilter tuning

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
apache performance tuning linux check ldap connection linux linux test odbc connection test odbc connection linux linux test connection speed putty connection manager linux linux check internet connection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More