I wrote (on 20 Feb 2002 at 13:08): > Karl E. Jorgensen wrote (on 20 Feb 2002 at 9:57): > > > On Wed, Feb 20, 2002 at 09:13:47AM +0100, Tony Crawford wrote: > > > Hi Gang! > > [...] > > Running iptables -L by hand, I see that > > it's very slow. It takes > a minute or two to read out the FORWARD > > chain in particular. > Even without the -v argument! > > [...] > > > > What about trying with the -n option? DNS lookups *will* slow > > things down a bit. > > Ach du--! <slapping forehead>
On the other hand, I do like having the names rather than numbers in that output. And normally, lookups shouldn't take *that* long. By experimenting, I found out that the long lookup occurred when my iptables rules used a netmask that does not correspond to a known subnet, namely 192.168.2.0/28 when the local network is 192.168.2.0/24. iptables was apparently waiting for a resolver timeout before printing "localnet/28". So for now I'm replacing that with separate rules for each host in that block of 16. Apparently there's no problem putting names on single addresses, just on blocks of them. Not exactly the way it spozed to be, but quicker than setting up aliasing and splitting the network into "real" subnets. Meanwhile, while we're on the subject, is there a way I can make cron (or run-parts or whoever) wait longer for the output before timing out? Or maybe detach the process? Or is that a bad idea? T. -- -- Tony Crawford -- [EMAIL PROTECTED] -- +49-3341-30 99 99 --
