Re: connection tracking without iptables?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



El jue, 14 de 10 de 2004 a las 20:31, Jiann-Ming Su escribiÃ:
> On Thu, 30 Sep 2004 19:34:30 -0400, Jason Opperisano <opie@xxxxxxxxxxx> wrote:
> > 
> >   egrep 'ESTABLISHED|ASSURED' /proc/net/ip_conntrack | wc -l
> > 
> 
> We're finding that any read operation on /proc/net/ip_conntrack really
> locks the system until that operation is completed.  That is, it's
> almost as if the read prevents any writes, so the firewall locks up
> momentarily until the read is done.  Is there a less system intensive
> way to read ip_conntrack?  Or, is my observation completely wrong?

You can try to use libipq or libiptc to read the connection tracking
list, but I don't know if it's even possible. You can check the source
code of iptstate to see how they do it, maybe you can find a way of
reading the data more quickly or at least read only the data you
need.
-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@xxxxxxxxx
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÃA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux