Re: Slow iptables && impatient cron solved
I wrote (on 20 Feb 2002 at 13:08):
> Karl E. Jorgensen wrote (on 20 Feb 2002 at 9:57):
>
> > On Wed, Feb 20, 2002 at 09:13:47AM +0100, Tony Crawford wrote: >
> > Hi Gang! > > [...] > > Running iptables -L by hand, I see that
> > it's very slow. It takes > a minute or two to read out the FORWARD
> > chain in particular. > Even without the -v argument! > > [...]
> >
> > What about trying with the -n option? DNS lookups *will* slow
> > things down a bit.
>
> Ach du--! <slapping forehead>
On the other hand, I do like having the names rather than numbers
in that output. And normally, lookups shouldn't take *that* long.
By experimenting, I found out that the long lookup occurred when my
iptables rules used a netmask that does not correspond to a known
subnet, namely 192.168.2.0/28 when the local network is
192.168.2.0/24. iptables was apparently waiting for a resolver
timeout before printing "localnet/28".
So for now I'm replacing that with separate rules for each host in
that block of 16. Apparently there's no problem putting names on
single addresses, just on blocks of them. Not exactly the way it
spozed to be, but quicker than setting up aliasing and splitting
the network into "real" subnets.
Meanwhile, while we're on the subject, is there a way I can make
cron (or run-parts or whoever) wait longer for the output before
timing out? Or maybe detach the process? Or is that a bad idea?
T.
--
-- Tony Crawford
-- tc@crawfords.de
-- +49-3341-30 99 99
--
Reply to: