> El sÃb, 28 de 08 de 2004 a las 02:47, Nick Drage escribiÃ: > > On Fri, Aug 27, 2004 at 05:19:07PM -0400, Jason Opperisano wrote: > > > > > long answer: it has been discussed on this list previously that > > > connection tracking DNS queries/responses on or for a busy DNS server > > > (i think the number was ~ 200 queries/second) will slow the name > > > resolution process down. the reason being that the state creation > > > adds noticeable, unnecessary latency, as most (all?) queries are one > > > packet request--one packet response. > > > > I've a vague recollection of being able to specify that a rule won't > > create an entry in the state table, so for situations like this > > netfilter can act faster, as long as you specify the correct rules for > > connections both ways. However I can't find anything in the > > documentation about this... after a cursory look... can anyone refresh > > my memory? > > I think that even if you don't use the conntrack feature for the DNS > port you will have state table entries anyway, because the state > machine will check every connection you made. The only solution would > be to unload the conntrack module and not using conntrack at all, but > that it's probably a mess, because you would have to change all the > rules to specify both directions of traffic, like in the old ipchains > days. or use the raw table NOTRACK patch like someone else suggested (and i should have included in my initial rambling). -j
