On Tue, 2004-11-16 at 16:29, Lindsay Snider wrote: > When quickly adding/removing rules to iptables, I randomly get the 'Resource > temporarily unavailable' and 'Invalid argument' message. In the past, I put > a random .3 - 1 sec sleep in between iptables calls to get the rules in. > Recently we've updated two boxes to the 2.6 kernel and things have gotten > worse. We normally float around 10K rules but when the 2.6 kernel boxes get > into the 7K number of rules range, the add/removal time is to slow for the > boxes to keep up with the changes. On the 2.6 kernel boxes, the system time > maxes out one processor at 100% system cpu. The 2.4 kernel boxes are keeping > up, running for mail load and the system cpu is averaging 41%. > > A quick note on the boxes. There are 9 dell 1550's (dual PIII, 1G ram). 7 > boxes are running 2.4.22-1.2199.nptlsmp (fedora rpm), 1 running > 2.6.9-1.667smp (fc3 rpm), and 1 running 2.6.9 (stock kernel.org). The > hardware w/i the boxes are the same. > > Does anyone have a suggestion on what this might be? > > Addition info: > iptables add/remove rate is averaging 64.5 / minute > > > Lindsay save your rules via ipables-save and load your rules via iptables-restore. refer to this previous post on the efficiency gains: http://marc.theaimsgroup.com/?l=netfilter&m=109897603213467&w=2 -j -- "Getting out of jury duty is easy. The trick is to say you're prejudiced against all races." --The Simpsons
