On Wednesday 2008-05-07 19:26, lists+netfilter@xxxxxxx wrote: > Hi there, > I have quite a large list of blacklisted networks in my iptables firewall, > approx. 20,000. > Now I have a script that updates this blacklist according to my needs every > hour. My problem now is that during the update period (which consists of > several iptables [-I|-D] $CHAIN -s ... -j ... commands) my traffic accounting > is going haywire. > I have narrowed it down to the problem that displaying the rules (from which I > extract the traffic information via iptables -xvnL $CHAIN) intermittently shows > 0s (zeroes) as paket and byte counters while the insert/delete commands are > being issued. > Is there a locking problem? Should I maybe report this to the devel list? Each invocation of iptables retrieves and writes the rule table back into the kernel, which is very antiperformant. You want to be using iptables-restore here to minimize any delays. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
