connection tracking without iptables?
sujiannming at gmail.com
Thu Oct 14 20:31:11 CEST 2004
On Thu, 30 Sep 2004 19:34:30 -0400, Jason Opperisano <opie at 817west.com> wrote:
> egrep 'ESTABLISHED|ASSURED' /proc/net/ip_conntrack | wc -l
We're finding that any read operation on /proc/net/ip_conntrack really
locks the system until that operation is completed. That is, it's
almost as if the read prevents any writes, so the firewall locks up
momentarily until the read is done. Is there a less system intensive
way to read ip_conntrack? Or, is my observation completely wrong?
"I have to decide between two equally frightening options.
If I wanted to do that,
I'd vote." --Duckman
More information about the netfilter