Jiann-Ming Su wrote:
On Thu, 30 Sep 2004 19:34:30 -0400, Jason Opperisano <opie@xxxxxxxxxxx> wrote:
egrep 'ESTABLISHED|ASSURED' /proc/net/ip_conntrack | wc -l
We're finding that any read operation on /proc/net/ip_conntrack really
locks the system until that operation is completed. That is, it's
almost as if the read prevents any writes, so the firewall locks up
momentarily until the read is done. Is there a less system intensive
way to read ip_conntrack? Or, is my observation completely wrong?
From linux kernel 2.6.9 changelog:
[NETFILTER]: add sysctl to read out the number of current connections
Apparently a lot of scripts use a construct like
cat /proc/net/ip_conntrack | wc -l
which has a negative impact on system performance due to all the locking
required.
--
Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
