Dariush Pietrzak пишет:
nfqueue is a flexible userspace packet handler which uses the netfilter
netlink-queue library (kernel 2.6.14 or later). It filters by IP address.
It is optimized for thousands of rules (IP ranges) and is quite fast.
It seems like it would have to be very, very slow ( every rule would have
to traverse kernelspace<->userspace barrier ), and the whole point of ipset
is for this path to be rapid.
On a packet traverses diagram
http://jengelh.medozas.de/images/nf-packet-flow.png we could see that
Application layer also involved in general process.
I didn't really test a nfqueue or ipset, but peoples reported that
nfqueue also very fast.
Why patch-o-matic or it part ipset module doesn't included in the
mainstream kernel ?
Nfqueue is simple and quick solution. It doesn't require kernel
patching\rebuilding. This is a big advantage.
Judging from experiences with shaperd (userspace shaping solution, using
exactly the same interface), it works very well when you're using it as a toy
(low pps, oversized hardware). It has lot's of nice properties coming from
decisionmaking code running in userspace.
Some peoples reported about bugs.
(rus forum) http://www.opennet.ru/openforum/vsluhforumID1/79530.html
i don't think this is a bug, this fellow's machine is running out of
memory, which results in:
kernel: ipset: page allocation failure. order:0, mode:0x20
and he even wrote that later oom-killer enters the picture. Considering
what he's trying to achieve this is exactly the kind of problem that I
would expect.
_______________________________________________
Users mailing list
[email protected]
https://openvz.org/mailman/listinfo/users
