| |
| |
| |
|
Comments:
<0> iptables -A FORWARD -p tcp -i $INET_IFACE --destination-port 21 --destination 192.168.0.144 -j ACCEPT
<0> what does this do?
<0> or what does the --destination field stand for?
<0> if the packet is for xxx then accept?
<1> gug
<1> I am trying to configure the IPSec connection between RedHAT, and Solaris -
<1> host to host in Transport mode. I have configured the RedHat host as follows
<1> oops, sorry
<1> copy-paste :(
<2> is there any channel for linux advance routing ...
<2> anybody
<3> anybody ...is there any channel for linux advance routing ?
<3> i have following rule
<3> <3> ip rule add fwmark 1 table t0
<3> <3> but all the trffic is going through main table
<3> <3> fwmark 1 packets should lookup from t0
<3> <3> but its not happening
<3> <3> can sombody help me
<4> xyz: There is an example in LARTC.
<4> xyz: Did you seen it
<4> ?
<3> can u giveme the link
<5> does somebody still remember who on this channel offered me travel sponsorship for the FISL conference?
<6> if my conntrack hastable fals back to vmalloc will I get noticable worse performance?
<7> why should it fall back in the first place?
<6> jengelh: cause its too big probably
<6> I have 512k of buckets
<7> hm
<7> that's already too big IIRC
<7> then use vmalloc from the start
<7> or better even, getpage...() see LDD3
<6> I am not programming the kernel, just trying to setup the router ;)
<7> so why mess with hashtables then
<6> Gandalf shows in his conntrack paper, that the ration of conntrack entries to hashtable buckets is important for lookups
<6> default # of buckets for > 1G machine is 8k
<7> then raise the bucket numbers
<6> I have over 500K entries in conntrack, so I always increase the the number of buckets
<7> grommet: step in?
<6> at the moment I run 256k of buckets
<6> wanted to increase them to 512k , seeing that it might improve the performance..
<7> unless you can prove it improves performance, there is no need to change it
<6> see: http://people.netfilter.org/gandalf/nfws2005_presentation.pdf pages 5-7
<8> jengelh: it already tries to use get_free_pages() (iirc that's the name)
<7> right, gfp
<7> so everything should be fine
<8> but that only succeeds for large allocations right after bootup when memory isn't fragmented
<7> does not mm do some defrag then?
<8> not yet
<7> but yet the allocation must be quite big too
<7> i'd probably have no problem allocating 128 at once on this 768, would I?
<8> there are some patches that are beeing developed and sent to lkml from time to time
<6> it is right after bootup, I get it in dmesg
<6> and conntrack is compiled in, not a module
<6> ip_conntrack version 2.4 (524288 buckets, 2097152 max) - 304 bytes per conntrack ip_conntrack: falling back to vmalloc.
<7> Gandalf_ : There is a potential Oops.
<7> if (!hash) {
<7> *vmalloced = 1;
<7> printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n"); hash = vmalloc(sizeof(struct list_head) * size);
<7> }
<7> We should test again for hash==NULL
<7> in case vmalloc fails too
<7> bbl. Gandalf_ , don't forget to scroll up
<6> jengelh: both callers check the return value of alloc_hashtable()
<6> but, will I be better off reducing the size and going with ration 1:2 or going 1:1 with vmalloc() allocation?
<8> jengelh: I thought we did that...
<8> kaitseb: I'm not sure which is best, I havn't performed any benchmarks regarding that
<9> can anyone explain for me what does net.ipv4.route.min_adv_mss do?
<7> Gandalf_ : Got that?
<8> jengelh: ? we do check the returnvalue of that function, that's why it isn't checked once again in the function
<7> ok
<7> Do you know of a target that allows changing layer7 data?
<8> no
<8> you can always write one :)
<7> i'm thinking about it
<8> but I hope you mean layer 4 or 5...
<8> so you don't have to implement protocol parsers and all that crap :)
<7> Is there anything in a proxy-style request that apache can't handle besides the "GET http://domain/document HTTP/1.x" part?
<7> Well I've got an itchy situation
<8> apache has a mod_proxy iirc
<7> good thing
<7> so
<7> windows clients are set to use an internal proxy (which furhter conntects to an external proxy) However, for specific reasons, the DMZ webserver(s) shall fall under the no-proxy thing, but I am not in the mood of changing all 1000 user profiles to include it in the noproxy definition
<7> so I thought of something like DNAT and then, well modify the request so it fits the webserver
<7> i''l look into modproxy
<10> arturaz: I guess that would be the min advertised MSS of this host
<7> Gandalf_ : What's the difference between a forward and a reverse proxy? I think I know it, but in the case of apache, it confuses me.
<8> both those terms usually have diffrent meaning in diffrent texts :)
<7> ah right i missed the description
<7> Gandalf_ : Do you know the -m owner match?
<8> jengelh: a bit, it has been stripped a bit since there's no good solution to some problems it introduces
<7> will there be any solution
<8> probably not
<7> shrug
<7> the worst is to have it go away
<8> some of the things it does just can't be done from the interruptcontext in a safe way
<7> i am currently using it to force all users use a transparent bridge proxy
<7> quite nice, like -m owner ! --uid-owner squid -j REDIRECT --to localhost:3128
<7> except the squid itself that is
<11> gug
<12> hello anyone here?
<12> just a question about some really old stuff :)
<12> anyone here still familiar with ipchains? :p
<12> does it even know protocols?
<12> should add a protocol 50 allow for vpn
<12> but no idea how/if this should be done in ipchains
Return to
#netfilter
or
Go to some related
logs:
synchronize 2 databases php-script
0x6134706D gentoo
#php
ubuntu remove openoffice.org ubuntu-desktop
#gaim
#perl
nondetermistic turing machine wikipedia
#perl
#qemu
enable bitmap fonts kubuntu
|
|