On Thursday 07 June 2012 13:43:25 Aidas Kasparas wrote: > On 2012.06.07 09:59, Jozsef Kadlecsik wrote: > > Maybe your given set gets full. From the manpage: > > > > "When entries added by the SET target of iptables/ip6tables, then the > > hash size is fixed and the set won't be duplicated, even if the new > > entry cannot be added to the set." > > Ok. But if set is full, and I list it, it should show at least some > members present. When it stops working, it shows no members at all. > > On the other hand, I create sets with timeout 10. So, every 3 secs there > should be expiration process which trows ~ 1/3 of entries from each > chain. And this should make place for some new entries. I'll address *your* problem, not the problem you observed with the ipset code (which may be a real problem). How many entres are in the set when it is 'full'? Have you tried setting the initial size of the hash to the maximum (64ki?)? Utilization of a set ought to be non-deterministic because you can't know how many 'new' addresses will arrive in any given time interval. In other words (a contrived example), suppose at time T you had 64ki addresses in the hash with 20,000 set to expire in 3⅓ seconds (the rest later). In the next 3333ms, 2000 new addresses arrive but can't fitin the set. At T+3333ms, 20k addresses expire. In the next 2000ms, 21k new addresses arrive; 1000 of them won't fit in the set. 80Mb/s allows for a lot of packets; even slow consumer-grade switches can exceed 64ki addresses in 10 seconds via SYN packets. Given all that, can you redesign your sets so you don't (maybe can't) fill them? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
