viewing rules and traffic while inserting/removing rules

Linux Netfilter discussions
 help / color / mirror / Atom feed

* viewing rules and traffic while inserting/removing rules
@ 2008-05-07 17:26 lists+netfilter
  2008-05-07 18:25 ` Jan Engelhardt
  2008-05-07 20:01 ` Steven Kath
  0 siblings, 2 replies; 7+ messages in thread
From: lists+netfilter @ 2008-05-07 17:26 UTC (permalink / raw)
  To: netfilter

Hi there,
I have quite a large list of blacklisted networks in my iptables 
firewall, approx. 20,000.
Now I have a script that updates this blacklist according to my needs 
every hour. My problem now is that during the update period (which 
consists of several iptables [-I|-D] $CHAIN -s ... -j ... commands) my 
traffic accounting is going haywire.
I have narrowed it down to the problem that displaying the rules (from 
which I extract the traffic information via iptables -xvnL $CHAIN) 
intermittently shows 0s (zeroes) as paket and byte counters while the 
insert/delete commands are being issued.
Is there a locking problem? Should I maybe report this to the devel list?
Regards,
Marc

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: viewing rules and traffic while inserting/removing rules
  2008-05-07 17:26 viewing rules and traffic while inserting/removing rules lists+netfilter
@ 2008-05-07 18:25 ` Jan Engelhardt
  2008-05-07 20:01 ` Steven Kath
  1 sibling, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2008-05-07 18:25 UTC (permalink / raw)
  To: lists+netfilter; +Cc: netfilter


On Wednesday 2008-05-07 19:26, lists+netfilter@roth.lu wrote:
> Hi there,
> I have quite a large list of blacklisted networks in my iptables firewall,
> approx. 20,000.
> Now I have a script that updates this blacklist according to my needs every
> hour. My problem now is that during the update period (which consists of
> several iptables [-I|-D] $CHAIN -s ... -j ... commands) my traffic accounting
> is going haywire.
> I have narrowed it down to the problem that displaying the rules (from which I
> extract the traffic information via iptables -xvnL $CHAIN) intermittently shows
> 0s (zeroes) as paket and byte counters while the insert/delete commands are
> being issued.
> Is there a locking problem? Should I maybe report this to the devel list?

Each invocation of iptables retrieves and writes the rule table back
into the kernel, which is very antiperformant. You want to be using
iptables-restore here to minimize any delays.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: viewing rules and traffic while inserting/removing rules
  2008-05-07 17:26 viewing rules and traffic while inserting/removing rules lists+netfilter
  2008-05-07 18:25 ` Jan Engelhardt
@ 2008-05-07 20:01 ` Steven Kath
  2008-05-07 21:29   ` lists+netfilter
  2008-05-08 16:44   ` Grant Taylor
  1 sibling, 2 replies; 7+ messages in thread
From: Steven Kath @ 2008-05-07 20:01 UTC (permalink / raw)
  To: lists+netfilter, netfilter

Marc wrote:
> 
> Hi there,
> I have quite a large list of blacklisted networks in my iptables
> firewall, approx. 20,000.
> Now I have a script that updates this blacklist according to my needs
> every hour. My problem now is that during the update period (which
> consists of several iptables [-I|-D] $CHAIN -s ... -j ... commands) my
> traffic accounting is going haywire.
> I have narrowed it down to the problem that displaying the rules (from
> which I extract the traffic information via iptables -xvnL $CHAIN)
> intermittently shows 0s (zeroes) as paket and byte counters while the
> insert/delete commands are being issued.
> Is there a locking problem? Should I maybe report this to the devel
list?

Have you considered using netfilter's ip sets for this?  Sounds like it
might be perfect for your needs. 

http://www.netfilter.org/projects/ipset/ 


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: viewing rules and traffic while inserting/removing rules
  2008-05-07 20:01 ` Steven Kath
@ 2008-05-07 21:29   ` lists+netfilter
  2008-05-08 16:44   ` Grant Taylor
  1 sibling, 0 replies; 7+ messages in thread
From: lists+netfilter @ 2008-05-07 21:29 UTC (permalink / raw)
  To: netfilter

Steven Kath wrote:
> Have you considered using netfilter's ip sets for this?  Sounds like it
> might be perfect for your needs. 
>
> http://www.netfilter.org/projects/ipset/ 
>   
Yes, if it was right in the kernel (without patch-o-matic) I agree it 
would be the way to go ;)

Jan Engelhardt wrote:
> Each invocation of iptables retrieves and writes the rule table back
> into the kernel, which is very antiperformant. You want to be using
> iptables-restore here to minimize any delays.
You mean building a file and then using 'iptables-restore -n < file' ? I 
will take a look at it. Thanks.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: viewing rules and traffic while inserting/removing rules
  2008-05-07 20:01 ` Steven Kath
  2008-05-07 21:29   ` lists+netfilter
@ 2008-05-08 16:44   ` Grant Taylor
  2008-05-08 17:17     ` lists+netfilter
  1 sibling, 1 reply; 7+ messages in thread
From: Grant Taylor @ 2008-05-08 16:44 UTC (permalink / raw)
  To: Mail List - Netfilter

On 05/07/08 15:01, Steven Kath wrote:
> Have you considered using netfilter's ip sets for this?  Sounds like 
> it might be perfect for your needs.

With out knowing how or what the OP is accounting we don't know if s/he 
is looking at each individual network that is being filtered or if it is 
clients behind the system.  If it is networks that are being filtered I 
would think that the single ipset rule would make it much harder, if not 
impossible, to keep accounting data for a single rule.

Grant. . . .

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: viewing rules and traffic while inserting/removing rules
  2008-05-08 16:44   ` Grant Taylor
@ 2008-05-08 17:17     ` lists+netfilter
  2008-05-08 19:21       ` Grant Taylor
  0 siblings, 1 reply; 7+ messages in thread
From: lists+netfilter @ 2008-05-08 17:17 UTC (permalink / raw)
  To: Mail List - Netfilter

Grant Taylor wrote:
> On 05/07/08 15:01, Steven Kath wrote:
>> Have you considered using netfilter's ip sets for this?  Sounds like 
>> it might be perfect for your needs.
>
> With out knowing how or what the OP is accounting we don't know if 
> s/he is looking at each individual network that is being filtered or 
> if it is clients behind the system.  If it is networks that are being 
> filtered I would think that the single ipset rule would make it much 
> harder, if not impossible, to keep accounting data for a single rule.
I do not need to keep individual accounting data for each network that 
is blocked.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: viewing rules and traffic while inserting/removing rules
  2008-05-08 17:17     ` lists+netfilter
@ 2008-05-08 19:21       ` Grant Taylor
  0 siblings, 0 replies; 7+ messages in thread
From: Grant Taylor @ 2008-05-08 19:21 UTC (permalink / raw)
  To: Mail List - Netfilter

On 05/08/08 12:17, lists+netfilter@roth.lu wrote:
> I do not need to keep individual accounting data for each network that 
> is blocked.

Ok.  In that case, I agree that an ipset would likely be a better way to 
go.  However you made a comment about it not being in your kernel.



Grant. . . .

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2008-05-08 19:21 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-07 17:26 viewing rules and traffic while inserting/removing rules lists+netfilter
2008-05-07 18:25 ` Jan Engelhardt
2008-05-07 20:01 ` Steven Kath
2008-05-07 21:29   ` lists+netfilter
2008-05-08 16:44   ` Grant Taylor
2008-05-08 17:17     ` lists+netfilter
2008-05-08 19:21       ` Grant Taylor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox