iptables out of memory?

Alan Johnson alan at datdec.com
Fri Jan 30 20:23:20 EST 2009


On Fri, Jan 30, 2009 at 6:23 PM, Kevin D. Clark
<kevin_d_clark at comcast.net>wrote:

> > I also saw high load average at times of high %si, so I had chaulked it
> up
> > to a work-station grade processor not being able to handle a lot of
> context
> > switching.  Now, I've just cleared out iptables back to the default
> handful
> > of rules, and I see the %si back down to the usual <3%.  So, I'm guessing
> > that each packet comes in causes a system interrrupt and the more rules
> in
> > iptables, the more time it takes to process each interrupt.  I can't be
> sure
> > form these observations though, because the disk wait (%wa) also goes
> > through the roof when I clear out iptables.
>
> I find this to be puzzling, because I do not believe that iptables
> operates in interrupt context.  The interrupts should be serviced as
> quickly as they always are.  The only way that I could envision %si
> going up like this would be if there was some strange bug that
> prevented the interrupt handler from putting the skb on the queue (or
> dropping them on the floor...) while iptables was processing your
> gigantic ruleset.


Interesting.  Like I said, could just be disk IO coming to the fore-front as
more log lines are written.  Logs along won't do it, but the system was
backed up a bit on mail queue (was >170K messages at one point) plus I am
doing a massive delete of old mail, so disk is going N-V-T-S nuts right
now.  Starting about now, there is a giant archive process kicking off,
which will also skew the disk wait for a few days.  Give me a few days,
maybe a couple weeks, and when things settle down on this machine (if they
ever do) I'll let you know what happens.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20090130/77f4be01/attachment.html 


More information about the gnhlug-discuss mailing list