Wed, 16 Nov 2005
IP conntrack testing
We have a filtering router running Linux, which has around 1400 iptables rules, and multiple gigabit interfaces. For a long time I wanted to explore newer features of Netfilter, such as IP connection tracking (and the raw table with NOTRACK target), ulogd, etc.
On Saturday I have booted the new kernel with ip_conntrack, and the whole set of other Netfilter bells and whistles. I have not played with it so far, but the connection tracking is on, and it seems it had no significant performance impact on the server itself:
The above graphs show values of packets per second routed, CPU usage (system time and user+system time), and number of connections. The new kernel with conntrack support is on since Saturday evening.