[Users] Hardware node - Iptables firewall with ipset
Dariush Pietrzak
ml-openvz-eyck at kuszelas.eu
Tue Mar 24 10:25:32 EDT 2009
> nfqueue is a flexible userspace packet handler which uses the netfilter
> netlink-queue library (kernel 2.6.14 or later). It filters by IP address.
> It is optimized for thousands of rules (IP ranges) and is quite fast.
It seems like it would have to be very, very slow ( every rule would have
to traverse kernelspace<->userspace barrier ), and the whole point of ipset
is for this path to be rapid.
Judging from experiences with shaperd (userspace shaping solution, using
exactly the same interface), it works very well when you're using it as a toy
(low pps, oversized hardware). It has lot's of nice properties coming from
decisionmaking code running in userspace.
> Some peoples reported about bugs.
> (rus forum) http://www.opennet.ru/openforum/vsluhforumID1/79530.html
i don't think this is a bug, this fellow's machine is running out of
memory, which results in:
kernel: ipset: page allocation failure. order:0, mode:0x20
and he even wrote that later oom-killer enters the picture. Considering
what he's trying to achieve this is exactly the kind of problem that I
would expect.
--
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Total Existance Failure
More information about the Users
mailing list