On Sunday 2011-12-04 14:34, Léo Cavaillé wrote: >Hello everyone, > >I recently tested a new environment to account some traffic on my >network with some iptables rules > >1) I have got 2 rules (one for in and one for out stream) per IP I want >to account. Since I account some contiguous adresses I wondered if a >binary tree starting with the first IP of my /19 and then chaining >through different tables to reach a single IP leaf will result in a >logarithmic complexity rather than linear… Yes, Jesper Brouer wrote some Perl code that takes care of automatically producing a fanned tree like that. >So far I am adding the whole set of rules with a perl script using >libiptc to commit only once the rules to netfilter. > > >2) These ~62k rules are not really significant for the load of my >firewall. But unfortunately, I had sometimes in my tests to manage some big >failures, where an iptables command (-Z, -A or -L) is stuck on the system >and then one of my cores is used at 100% and the load increases, and generally >I get this kernel alert : >http://pastebin.com/F1DL7ZZT Keep in mind that the ruleset is replaced for each HW thread and thus puts big requirements on memory available; as such though, I would have expected an OOM message rather than a Unable To Handle Kernel Paging Request. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
