[Users] Hardware node - Iptables firewall with ipset
Sergej Kandyla
sk.paix at gmail.com
Tue Mar 24 10:52:08 EDT 2009
Dariush Pietrzak пишет:
>> nfqueue is a flexible userspace packet handler which uses the netfilter
>> netlink-queue library (kernel 2.6.14 or later). It filters by IP address.
>> It is optimized for thousands of rules (IP ranges) and is quite fast.
>>
> It seems like it would have to be very, very slow ( every rule would have
> to traverse kernelspace<->userspace barrier ), and the whole point of ipset
> is for this path to be rapid.
>
On a packet traverses diagram
http://jengelh.medozas.de/images/nf-packet-flow.png we could see that
Application layer also involved in general process.
I didn't really test a nfqueue or ipset, but peoples reported that
nfqueue also very fast.
Why patch-o-matic or it part ipset module doesn't included in the
mainstream kernel ?
Nfqueue is simple and quick solution. It doesn't require kernel
patching\rebuilding. This is a big advantage.
> Judging from experiences with shaperd (userspace shaping solution, using
> exactly the same interface), it works very well when you're using it as a toy
> (low pps, oversized hardware). It has lot's of nice properties coming from
> decisionmaking code running in userspace.
>
>
>> Some peoples reported about bugs.
>> (rus forum) http://www.opennet.ru/openforum/vsluhforumID1/79530.html
>>
> i don't think this is a bug, this fellow's machine is running out of
> memory, which results in:
> kernel: ipset: page allocation failure. order:0, mode:0x20
> and he even wrote that later oom-killer enters the picture. Considering
> what he's trying to achieve this is exactly the kind of problem that I
> would expect.
>
>
More information about the Users
mailing list