On Thu, 7 Jun 2012, Neal Murphy wrote:
> On Thursday 07 June 2012 13:43:25 Aidas Kasparas wrote:
> > On 2012.06.07 09:59, Jozsef Kadlecsik wrote:
> > > Maybe your given set gets full. From the manpage:
> > >
> > > "When entries added by the SET target of iptables/ip6tables, then the
> > > hash size is fixed and the set won't be duplicated, even if the new
> > > entry cannot be added to the set."
> >
> > Ok. But if set is full, and I list it, it should show at least some
> > members present. When it stops working, it shows no members at all.
> >
> > On the other hand, I create sets with timeout 10. So, every 3 secs there
> > should be expiration process which trows ~ 1/3 of entries from each
> > chain. And this should make place for some new entries.
>
> I'll address *your* problem, not the problem you observed with the ipset code
> (which may be a real problem).
>
> How many entres are in the set when it is 'full'? Have you tried setting the
> initial size of the hash to the maximum (64ki?)?
According to the listing of the set:
# ipset list fd_88
Name: fd_88
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536 timeout 10
^^^^
Size in memory: 82040
References: 3
Members:
Because the SET target won't trigger increasing the hash size and the
max collision is limited to 12, that means there can be at the maximum
12*1024 elements in that set. And that's the theoretical maximum.
By the way the hash size is not limited in ipset 6.x when creating a hash
type of set.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
