Re: Slow iptables impatient cron solved
I wrote (on 20 Feb 2002 at 13:08): Karl E. Jorgensen wrote (on 20 Feb 2002 at 9:57): On Wed, Feb 20, 2002 at 09:13:47AM +0100, Tony Crawford wrote: Hi Gang! [...] Running iptables -L by hand, I see that it's very slow. It takes a minute or two to read out the FORWARD chain in particular. Even without the -v argument! [...] What about trying with the -n option? DNS lookups *will* slow things down a bit. Ach du--! slapping forehead On the other hand, I do like having the names rather than numbers in that output. And normally, lookups shouldn't take *that* long. By experimenting, I found out that the long lookup occurred when my iptables rules used a netmask that does not correspond to a known subnet, namely 192.168.2.0/28 when the local network is 192.168.2.0/24. iptables was apparently waiting for a resolver timeout before printing localnet/28. So for now I'm replacing that with separate rules for each host in that block of 16. Apparently there's no problem putting names on single addresses, just on blocks of them. Not exactly the way it spozed to be, but quicker than setting up aliasing and splitting the network into real subnets. Meanwhile, while we're on the subject, is there a way I can make cron (or run-parts or whoever) wait longer for the output before timing out? Or maybe detach the process? Or is that a bad idea? T. -- -- Tony Crawford -- [EMAIL PROTECTED] -- +49-3341-30 99 99 --
Re: Slow iptables impatient cron solved
On Wed, Feb 20, 2002 at 03:16:15PM +0100, Tony Crawford wrote: By experimenting, I found out that the long lookup occurred when my iptables rules used a netmask that does not correspond to a known subnet, namely 192.168.2.0/28 when the local network is 192.168.2.0/24. iptables was apparently waiting for a resolver timeout before printing localnet/28. you can use /etc/networks to fill in these names. see man networks for the syntax, its pretty much the same as the hosts file.
Re: Slow iptables impatient cron solved
* Tony Crawford ([EMAIL PROTECTED]) [020220 06:14]: Meanwhile, while we're on the subject, is there a way I can make cron (or run-parts or whoever) wait longer for the output before timing out? Or maybe detach the process? Or is that a bad idea? What if you had 2 separate jobs: one runs iptables and dumps the output in a file somewhere, and the other mails it to you 10 minutes later. It's a hcak, though. Anacron(8) doesn't mention anything about a timeout; it only mentions waiting for jobs to finish. Maybe removing the -s flag would be of value? Just stabbing in the dark, now, though. good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume/ -- I disapprove of what you say, but I will defend to the death your right to say it. --Beatrice Hall, The Friends of Voltaire, 1906 pgpSwCGHKPgrI.pgp Description: PGP signature
Re: Slow iptables impatient cron solved
Alan James wrote (on 20 Feb 2002 at 15:53): On Wed, Feb 20, 2002 at 03:16:15PM +0100, Tony Crawford wrote: By experimenting, I found out that the long lookup occurred when my iptables rules used a netmask that does not correspond to a known subnet, namely 192.168.2.0/28 when the local network is 192.168.2.0/24. iptables was apparently waiting for a resolver timeout before printing localnet/28. you can use /etc/networks to fill in these names. I already tried that, with no apparent success, but I'll try it some more--that's the kind of nice painless solution I'd like best. I sure don't want to install BIND here. see man networks for the syntax, its pretty much the same as the hosts file. I get Undocumented for that. (This is a potato/2.4.9 à la Bunk- -is that man page in Woody maybe?) Thanks for the tips! Tony -- -- Tony Crawford -- [EMAIL PROTECTED] -- +49-3341-30 99 99 --
