Re: ipset causes reverse dns lookups?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ed W <lists@wildgooses.com>
To: netfilter <netfilter@vger.kernel.org>
Subject: Re: ipset causes reverse dns lookups?
Date: Mon, 16 Apr 2012 04:23:48 +0100	[thread overview]
Message-ID: <4F8B90C4.3070600@wildgooses.com> (raw)
In-Reply-To: <4F8B72BB.4010307@wildgooses.com>

On 16/04/2012 02:15, Ed W wrote:
> On 16/04/2012 00:26, Ed W wrote:
>> In particular if I lock down iptables (-P DROP), then the above 
>> command takes quite some seconds to complete, rather than instantly 
>> if I open up iptables.  This is causing me some problems with startup 
>> scripts
>>
>> Am I missing some configuration option? Is this a bug? Why is a 
>> reverse DNS lookup needed?
>
> eg
>
> $ iptables -I INPUT -j REJECT
> $ time ipset create cp2 bitmap:ip,mac range 192.168.1.1/24
> ipset v6.9.1: Set cannot be created: set with the same name already 
> exists
> Command exited with non-zero status 1
> real    0m 45.11s
> user    0m 0.01s
> sys     0m 0.00s

I upgraded to ipset 6.11 and note the same issue.  I also just 
discovered I can repro this when adding to a set, eg:

$ time /usr/sbin/ipset -! -q add cp2 192.168.105.56,58:b0:35:78:0d:f5
Command exited with non-zero status 1
real    1m 0.09s
user    0m 0.00s
sys    0m 0.01s

In this case I have multiple internet connections. Pushing IPs into an 
ipset forces that ip over a particular connection.  If the box is 
currently on some non responsive network, then the resolver isn't 
working correctly and ipset is consequently also slow.

Any ideas how I can get out of this?

Thanks

Ed W

next prev parent reply	other threads:[~2012-04-16  3:23 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-04-15 23:26 ipset causes reverse dns lookups? Ed W
2012-04-16  1:15 ` Ed W
2012-04-16  3:23   ` Ed W [this message]
2012-04-16  8:08     ` Jozsef Kadlecsik
2012-04-16  8:37       ` Ed W
2012-04-16  9:55         ` Jozsef Kadlecsik
2012-04-16 13:08           ` Amos Jeffries
2012-04-16 13:21             ` Jozsef Kadlecsik
2012-04-16 13:14           ` Ed W
2012-04-16 13:20             ` Jozsef Kadlecsik
     [not found]               ` <4F8C1E78.6030202@wildgooses.com>
     [not found]                 ` <alpine.DEB.2.00.1204161548170.20321@blackhole.kfki.hu>
2012-04-16 22:05                   ` Ed W

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F8B90C4.3070600@wildgooses.com \
    --to=lists@wildgooses.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.