Package: munin-node Version: 1.2.5-1 Severity: normal Hi.
Some days ago I noticed a very severe problem with the fw_conntrack and fw_forwarded_local plugins on one of my firewalls. When the system exceeded about 20,000 conntrack entries, both plugins would interrupt all data flow through this system for about 5 to 10 seconds, long enough for a failover mechanism kicking into action. I can manually reproduce this by simply using "cat /proc/net/ip_conntrack" or "cat /proc/net/nf_conntrack". Now look at the runtimes in comparison with the usage of "conntrack -L": r...@fw01-1:~# time cat /proc/net/nf_conntrack | wc -l 5657 real 0m0.608s user 0m0.010s sys 0m0.600s r...@fw01-1:~# time cat /proc/net/ip_conntrack | wc -l 5703 real 0m0.580s user 0m0.000s sys 0m0.580s r...@fw01-1:~# time conntrack -L |wc -l 5481 real 0m0.071s user 0m0.050s sys 0m0.020s Even an unloaded system takes more than half a second while the conntrack command takes only 10% of the time. With more and more connections in the conntrack table the times scale exponentially when using the files in /proc, while "conntrack -L" nearly stays the same. The disturbing problem is the total halt of all network operations during the cat from /proc, while conntrack -L does not interrupt anything. While the "cat /proc/net/ip_conntrack" does no harm to small systems, bigger and loaded systems will be severly impacted by this problem. For the fw_conntrack and fw_forwarded_local plugins found in 1.2.5 (pre-1.4) you can simply replace the "cat /proc/net/ip_conntrack" command with a "conntrack -L", because the formats of both are identical. With /proc/net/nf_conntrack this is not yes possible. Grüße, Sven. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
