Hello everyone, I recently tested a new environment to account some traffic on my network with some iptables rules 1) I have got 2 rules (one for in and one for out stream) per IP I want to account. Since I account some contiguous adresses I wondered if a binary tree starting with the first IP of my /19 and then chaining through different tables to reach a single IP leaf will result in a logarithmic complexity rather than linear… So far I am adding the whole set of rules with a perl script using libiptc to commit only once the rules to netfilter. 2) These ~62k rules are not really significant for the load of my firewall. But unfortunately, I had sometimes in my tests to manage some big failures, where an iptables command (-Z, -A or -L) is stuck on the system and then one of my cores is used at 100% and the load increases, and generally I get this kernel alert : http://pastebin.com/F1DL7ZZT Any advice, or explanation will be great for my new installation ! Thanks, -- Léo Cavaillé -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
