在调查有关HTTP服务器性能不佳的抱怨时,我在Xen XCP主机的dmesg中发现了这些行,其中包含一个带有所述服务器的来宾操作系统:
[11458852.811070] net_ratelimit: 321 callbacks suppressed [11458852.811075] nf_conntrack: table full,dropping packet. [11458852.819957] nf_conntrack: table full,dropping packet. [11458852.821083] nf_conntrack: table full,dropping packet. [11458852.822195] nf_conntrack: table full,dropping packet. [11458852.824987] nf_conntrack: table full,dropping packet. [11458852.825298] nf_conntrack: table full,dropping packet. [11458852.825891] nf_conntrack: table full,dropping packet. [11458852.826225] nf_conntrack: table full,dropping packet. [11458852.826234] nf_conntrack: table full,dropping packet. [11458852.826814] nf_conntrack: table full,dropping packet.
抱怨每五秒重复一次(每次抑制回调的次数不同).
这些症状意味着什么?那不好吗?任何提示?
(请注意,问题比“如何解决HTTP服务器性能不佳的特定情况”更窄,所以我不会提供更多详细信息.)
附加信息:
$uname -a Linux MYHOST 3.2.0-24-generic #37-Ubuntu SMP Wed Apr 25 08:43:22 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux $lsb_release -a No LSB modules are available. distributor ID: Ubuntu Description: Ubuntu 12.04 LTS Release: 12.04 Codename: precise $cat /proc/sys/net/netfilter/nf_conntrack_max 1548576
服务器的每天点击次数约为10M.
更新:
ip0上的iptables:
$iptables -L -t nat -v Chain PREROUTING (policy ACCEPT 23155 packets,1390K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 9 packets,720 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 27 packets,1780 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 23173 packets,1392K bytes) pkts bytes target prot opt in out source destination $iptables -L -v Chain INPUT (policy ACCEPT 13976 packets,1015K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 241K packets,24M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13946 packets,1119K bytes) pkts bytes target prot opt in out source destination
其中一个DomUs的iptables:
$iptables -L -t nat -v Chain PREROUTING (policy ACCEPT 53465 packets,2825K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 53466 packets,2825K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 51527 packets,3091K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 51527 packets,3091K bytes) pkts bytes target prot opt in out source destination $iptables -L -v Chain INPUT (policy ACCEPT 539K packets,108M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets,0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 459K packets,116M bytes) pkts bytes target prot opt in out source destination
我对这个有点好奇,并为你的症状找到了一个很好的解释.它们在
nf_conntrack: table full – how the absence of rules can lead to unexpected behaviour中有详细描述.
TL; DR:刚刚运行iptables -t nat -vnL开始加载nf_conntrack模块,导致无意中的状态防火墙.我自己还没有证实这一点,你可以打赌明天我会在工作中做到这一点.
解决方案:如果您不需要NAT,因为无论如何都要进行桥接,请卸载nf_conntrack_ *模块以及依赖于这些模块的所有其他依赖模块.通过chkconfig ip [6]表关闭所有防火墙也是一个好主意.
在Ubuntu中禁用防火墙可以通过sudo ufw disable完成,如果你不想重启,可以在these instructions之后完成.
