Re: ipset causes reverse dns lookups?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
On 16/04/2012 02:15, Ed W wrote:

On 16/04/2012 00:26, Ed W wrote:
In particular if I lock down iptables (-P DROP), then the above command takes quite some seconds to complete, rather than instantly if I open up iptables. This is causing me some problems with startup scripts
Am I missing some configuration option? Is this a bug? Why is a reverse DNS lookup needed? 

eg

$ iptables -I INPUT -j REJECT
$ time ipset create cp2 bitmap:ip,mac range 192.168.1.1/24
ipset v6.9.1: Set cannot be created: set with the same name already exists 
Command exited with non-zero status 1
real    0m 45.11s
user    0m 0.01s
sys     0m 0.00s
I upgraded to ipset 6.11 and note the same issue. I also just discovered I can repro this when adding to a set, eg: 

$ time /usr/sbin/ipset -! -q add cp2 192.168.105.56,58:b0:35:78:0d:f5
Command exited with non-zero status 1
real    1m 0.09s
user    0m 0.00s
sys    0m 0.01s
In this case I have multiple internet connections. Pushing IPs into an ipset forces that ip over a particular connection. If the box is currently on some non responsive network, then the resolver isn't working correctly and ipset is consequently also slow. 

Any ideas how I can get out of this?

Thanks

Ed W
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux