Hi,
We are running kernel 2.6.17 and using iptables 1.3.5 and are observing
a performance problem.
We have a netfilter firewall consisting of about 800 Chains and a total
of 10000 rules (iptables -nvL | wc -l).
A single iptables manipulation takes about 4 seconds (on a PIV 2Ghz with
1Gb DDR2 ram).
With the same firewall config (on slower hardware) in a 2.4.24 kernel
with iptables 1.2.9 the single iptables manip takes about 500ms.
I traced the iptables command in 2.6.17 and noticed that the 4 seconds
are actually lost in the setsockopt call to write the BLOB back to the
kernel (BLOB size 2Mb ; 11000 entries).
Does anyone has any idea what might be causing this slowdown ?
Has the kernel interface part changed dramatically between 2.4 and 2.6 ?
Is it correct to say that no traffic will pass through in those 4
seconds that the filter is updated ?
regards,
Bart Duchesne
--
Visit CeBIT 2007 ? March 15-21, 2007 ? Messe, Hannover, Germany ? Security
Hall, Hall 7 Booth C20 and Banking and Finance Hall, Hall 17, Booth A01. For
additional information, please visit the event section of VASCO's website
http://www.vasco.com/events.
Infosecurity.be / Storage Expo
Belgium 21 & 22 March 2007 Brussels Kart
http://www.infosecurity.be http://www.storage-expo.be
http://www.linuxworldexpo.be
---------------------------------------------------
aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen
|