El jue, 14 de 10 de 2004 a las 20:31, Jiann-Ming Su escribiÃ: > On Thu, 30 Sep 2004 19:34:30 -0400, Jason Opperisano <opie@xxxxxxxxxxx> wrote: > > > > egrep 'ESTABLISHED|ASSURED' /proc/net/ip_conntrack | wc -l > > > > We're finding that any read operation on /proc/net/ip_conntrack really > locks the system until that operation is completed. That is, it's > almost as if the read prevents any writes, so the firewall locks up > momentarily until the read is done. Is there a less system intensive > way to read ip_conntrack? Or, is my observation completely wrong? You can try to use libipq or libiptc to read the connection tracking list, but I don't know if it's even possible. You can check the source code of iptstate to see how they do it, maybe you can find a way of reading the data more quickly or at least read only the data you need. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
