iptables -L *very* slow

iptables -L *very* slow

[Jean-Christian Imbeault]

When I try and print out my iptable rules using iptables -L, it takes 
about three minutes for the rules to print out (and there are only 9 of 
them).

Why is does this take so long? Is this a bug?

I am using the newest version of iptables with a custom 2.4.20 kernel.

Thanks!

jc

RE: iptables -L *very* slow

[Eugene Joubert]

[-- Attachment #1: Type: text/plain, Size: 561 bytes --]

Try using iptables -n -L "whatever"

It may be trying to do reverse lookups.

Hope this helps

-----Original Message-----
From: Jean-Christian Imbeault [mailto:jc@mega-bucks.co.jp] 
Sent: 17 02 2003 07:36 AM
To: netfilter@lists.netfilter.org
Subject: iptables -L *very* slow


When I try and print out my iptable rules using iptables -L, it takes 
about three minutes for the rules to print out (and there are only 9 of 
them).

Why is does this take so long? Is this a bug?

I am using the newest version of iptables with a custom 2.4.20 kernel.

Thanks!

jc


[-- Attachment #2: Type: text/html, Size: 1294 bytes --]

Re: iptables -L *very* slow

[Joel Newkirk]

On Monday 17 February 2003 12:36 am, Jean-Christian Imbeault wrote:
> When I try and print out my iptable rules using iptables -L, it takes
> about three minutes for the rules to print out (and there are only 9
> of them).
>
> Why is does this take so long? Is this a bug?
>
> I am using the newest version of iptables with a custom 2.4.20 kernel.

You'll probably have nearly instant listing with "iptables -n -L".  My 
guess is that it is taking all that time trying to resolve IP's in your 
rules to actual hostnames.  That lookup process is bypassed with the 
"-n" switch, to use numbers instead of names.

The root cause is a little deeper.  Either an IP cannot be resolved, or 
it is taking an unusually long time to resolve.  The latter might be 
caused by flawed DNS configuration at your end, or at the DNS for the 
machine in question.

j

Re: iptables -L *very* slow

[Arnt Karlsen]

On Mon, 17 Feb 2003 14:36:15 +0900, 
Jean-Christian Imbeault <jc@mega-bucks.co.jp> wrote in message 
<3E5074CF.90904@mega-bucks.co.jp>:

> When I try and print out my iptable rules using iptables -L, it takes 
> about three minutes for the rules to print out (and there are only 9
> of them).
> 
> Why is does this take so long? Is this a bug?

..no, a feature, it shows you you have bad resolving too.

..compare with 'iptables -nL'.  ;-)
 
> I am using the newest version of iptables with a custom 2.4.20 kernel.
> 
> Thanks!
> 
> jc
> 
> 


-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: iptables -L *very* slow

[Jean-Christian Imbeault]

Thanks to all for pointing out the -n flag to me :) Now if I can just 
figure out why my rules keep disappearing ....

Jc

Re: iptables -L *very* slow

[Chris Barnes]

[-- Attachment #1: Type: text/plain, Size: 1047 bytes --]

I get the same thing when i list my rules. it used to happen to me with
ipchains as well.

I think the others are right when they say that its trying to resolve
the addresses but it might not necessarily mean that you have a faulty
DNS.

alot of my rules dont specify 1 host, they specify a subnet and it still
takes time for iptables to list the rules...

it might be a small bug that iptables is trying to lookup the name for a
subnet address...i thought it would be a little smarter to know that
10.3.2.0/24 isn't a host rather a subnet and therefore shouldn't try to
do a lookup...

anyway, do what the others suggested

ipchains -nL


On Mon, 2003-02-17 at 16:36, Jean-Christian Imbeault wrote:
> When I try and print out my iptable rules using iptables -L, it takes 
> about three minutes for the rules to print out (and there are only 9 of 
> them).
> 
> Why is does this take so long? Is this a bug?
> 
> I am using the newest version of iptables with a custom 2.4.20 kernel.
> 
> Thanks!
> 
> jc
> 
> 


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]