latency increased X 10 on update

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* latency increased X 10 on update
@ 2011-11-25 21:45 marty
  2011-11-25 23:04 ` Jozsef Kadlecsik
  0 siblings, 1 reply; 2+ messages in thread
From: marty @ 2011-11-25 21:45 UTC (permalink / raw)
  To: netfilter-devel

Using ipset-6.9.1 on Linux-3.1.1
Only managing ipv4 traffic on Intel Atom-330 firewall.

Same iptables rules, however after updating from v4 code I see issues.
Attacker sends a packet;
I detect a unserved dest port and --add-set Blah src;
LOG it, DROP it, and begone;
But the set may not match for several further packets.
Ouch. Buffers?

Blah is used as
iptables -t raw -I PREROUTING  --match-set Blah src-j DROP
This DROP is NEVER logged, but certainly counted.

However I often continue to log multiple packets from blocked hosts, 
despite I am supposedly blocking them on the first bad packet.
I can confirm they are in the set but when packet_count exceeds 1 
something is very wrong with that picture.

Marty B.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: latency increased X 10 on update
  2011-11-25 21:45 latency increased X 10 on update marty
@ 2011-11-25 23:04 ` Jozsef Kadlecsik
  0 siblings, 0 replies; 2+ messages in thread
From: Jozsef Kadlecsik @ 2011-11-25 23:04 UTC (permalink / raw)
  To: marty; +Cc: netfilter-devel

On Fri, 25 Nov 2011, marty wrote:

> Using ipset-6.9.1 on Linux-3.1.1
> Only managing ipv4 traffic on Intel Atom-330 firewall.
> 
> Same iptables rules, however after updating from v4 code I see issues.
> Attacker sends a packet;
> I detect a unserved dest port and --add-set Blah src;
> LOG it, DROP it, and begone;
> But the set may not match for several further packets.
> Ouch. Buffers?
> 
> Blah is used as
> iptables -t raw -I PREROUTING  --match-set Blah src-j DROP
> This DROP is NEVER logged, but certainly counted.
> 
> However I often continue to log multiple packets from blocked hosts, despite I
> am supposedly blocking them on the first bad packet.
> I can confirm they are in the set but when packet_count exceeds 1 something is
> very wrong with that picture.

Please send exact data: the elements of the set at the given moment, the 
iptables rules and the log/counters which proves that something is wrong.

I don't really get how your subject is related to the text in your message 
body.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-11-25 23:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-25 21:45 latency increased X 10 on update marty
2011-11-25 23:04 ` Jozsef Kadlecsik

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).