[Users] Hardware node - Iptables firewall with ipset
Sergej Kandyla
sk.paix at gmail.com
Tue Mar 24 09:53:19 EDT 2009
Dariush Pietrzak пишет:
>>> Are there any problems with running a IPtables firewall using ipset
>>> functionality on the hardware node?
>>>
> Haven't encountered any yet, but I'm not using it very heavily right now.
>
>
>> Did you look at nfqueue ?
>>
> what is the relation?
>
nfqueue is a flexible userspace packet handler which uses the netfilter
netlink-queue library (kernel 2.6.14 or later). It filters by IP address.
It is optimized for thousands of rules (IP ranges) and is quite fast.
>
>> Afaik ipset is not really stable, also it require patching a
>>
> why do you think it's not 'really stable', can you point me to some
> recent/unsolved problems?
>
>
Some peoples reported about bugs.
(rus forum) http://www.opennet.ru/openforum/vsluhforumID1/79530.html
>> patching a kernel...This is a big reason to not use ipset module.
>>
> very funny comment for someone using openvz ;),
>
May be. But I don't patch a kernel himself. Instead this I use
prebuilded by paralles team kernel packages.
I don't want spend my time for patching and maintain custom kernel on
each my server.
More information about the Users
mailing list