Re: [squid-users] Re: everload CPU

From: Simon White <[email protected]>
Date: Mon, 29 Apr 2002 09:09:34 +0000

29-Apr-02 at 00:45, Eduardo Cota (cota@iie.edu.uy) wrote :
> ---------------------------------------------
> Squid using 100% CPU/squid slow when using interception proxying (aka
> transparent proxying)
>
> If you are using Linux kernel 2.4.x (for example redhat 7.2), avoid using
> the ipchains emulation for packet redirection, use iptables instead.
>
> On kernel 2.4.x ipchains is an emulation of 2.2 ipchains on top of
> netfilter, and has been found to have performance problems when used for
> redirecting packets. These problems do not manifest when using iptables.
> ---------------------------------------------

Here's my slightly changed version:-

Squid slow when running as a interception (transparent) proxy

If you are using the 2.4.x branch of the Linux Kernel (RedHat 7.1+ uses
this kernel, for example) and ipchains on the same machine to redirect
packets to Squid, then high CPU usage can result.

In the 2.4 series, ipchains is a backwards-compatible emulation layer on
top of the netfilter package, which is either compiled-in or modular in
the 2.4 kernel. It appears to cause problems when used to redirect packets
to Squid (although this problem may not be unique to Squid). Note that
ipchains support is there for backwards compatibility only, and is not
recommended for a production firewall / router.

Switching to iptables fixes this problem. Iptables is the new firewalling
package which interfaces directly with netfilter. It has similar syntax to
ipchains and adds new functionality including stateful inspection
(connection tracking). See http://netfilter.samba.org/unreliable-guides/
for more information.

-- 
[Simon White. vim/mutt. simon@mtds.com. GIMPS:94.67% see www.mersenne.org]
Recognizing disagreements in belief requires having enough agreements in
belief to translate or understand the words and deeds of my opponent.
  -- Anthony O'Hear (combining, somewhat, several modern philosophers).
Received on Mon Apr 29 2002 - 03:09:37 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:44 MST