> nfqueue is a flexible userspace packet handler which uses the netfilter > netlink-queue library (kernel 2.6.14 or later). It filters by IP address. > It is optimized for thousands of rules (IP ranges) and is quite fast. It seems like it would have to be very, very slow ( every rule would have to traverse kernelspace<->userspace barrier ), and the whole point of ipset is for this path to be rapid. Judging from experiences with shaperd (userspace shaping solution, using exactly the same interface), it works very well when you're using it as a toy (low pps, oversized hardware). It has lot's of nice properties coming from decisionmaking code running in userspace.
> Some peoples reported about bugs. > (rus forum) http://www.opennet.ru/openforum/vsluhforumID1/79530.html i don't think this is a bug, this fellow's machine is running out of memory, which results in: kernel: ipset: page allocation failure. order:0, mode:0x20 and he even wrote that later oom-killer enters the picture. Considering what he's trying to achieve this is exactly the kind of problem that I would expect. -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 Total Existance Failure _______________________________________________ Users mailing list [email protected] https://openvz.org/mailman/listinfo/users
