On Thu, Oct 14, 2004 at 02:31:11PM -0400, Jiann-Ming Su wrote: > On Thu, 30 Sep 2004 19:34:30 -0400, Jason Opperisano <opie@xxxxxxxxxxx> wrote: > > > > egrep 'ESTABLISHED|ASSURED' /proc/net/ip_conntrack | wc -l > > > > We're finding that any read operation on /proc/net/ip_conntrack really > locks the system until that operation is completed. That is, it's > almost as if the read prevents any writes, so the firewall locks up > momentarily until the read is done. Is there a less system intensive > way to read ip_conntrack? Or, is my observation completely wrong? i'm not aware of any way that reading /proc/net/ip_conntrack would prevent the system from creating new conntrack entries, but there's lots of things that i'm not aware of... you could try IPTState: http://iptstate.phildev.net/ i don't know if it'll help though, as i'm pretty sure it just reads in /proc/net/ip_conntrack for its data, same as cat/grep/sed/awk/etc... are you sure there isn't something else going on? -j -- Jason Opperisano <opie@xxxxxxxxxxx>
