ipac-ng 1.27 RH9 iptables all update - CPU jede na 100%
Boruvka
qWe na scnet.cz
Pondělí Září 8 19:20:56 CEST 2003
Zdravim ve spolek,
ma server RH9, 512RAM, 2500AMDXP - pres tento server jdou lide do internetu a na nem je nadefinovano cca 600 pravidel pro IPAC - mereni objemu dat prenesenych uzivateli. S temito pravidli je vsak po nekolika hodinach server vytizen na 100% a je treba jej restartovat.
Pokud vyhodim pravidla IPAC, jede server na 20% a 80% je volnych. Resenim by melo byt "user defined chains" pri IPAC-NG - tedy jakasi stromova struktura pravidel, aby pakety nesly pres vsech 600 pravidel, ale vetvily se a tim by bylo dosazeno ze kazdy paket by sel jen napr. 20-30 pravidly (dle nastaveni prave toho stromu).
Nedari se mi vsak nadefinovat "user defined chains" :( Pokud nadefinuji pravidla klasicky, je pocitani OK.
vypis rules.conf:
#zde se snazim z celkoveho datoveho toku vybrat tok do site 192.168.1.0/24
%chain%x168~fi|ipac~fi||all||192.168.1.0/24
%chain%x168~fo|ipac~fo||all|192.168.1.0/24|
%chain%x168~i|ipac~i||all||192.168.1.0/24
%chain%x168~o|ipac~o||all|192.168.1.0/24|
#pokud patri paket do site 192.168.1.0/24 (vyhovuje vyse uvedenemu pravidlu), prozen paket timto pravidlem a pripocitej data dane IP
168002i|x168~fi||all||192.168.1.2
168002o|x168~fo||all|192.168.1.2|
168002i|x168~i||all||192.168.1.2
168002o|x168~o||all|192.168.1.2|
#... zde by toto pravidlo obdobne pokracovalo pro dalsi ip atd...
Pokud dam vypis pravidel iptables, vidim nadefinovana "chains" x168~ pro provoz do "C" 192.168.1.0/24, ale uz nevidim nadefinovane "rules" 168002.
Nikde se neobjevuje zadna chybova hlaska.
Prosim o pomoc, pokud mate nekdo zkusenosti s definovanim uzivatelkskych (stromovych) pravidel pro ipac-ng, jak na to?
Dekuji za pomoc Boruvka
vypis ipac.conf:
# This is the main ipac-ng configuration file. It contains the
# configuration directives that give the ipac-ng its instructions.
## mode of operations: operate only like old ipac or not
classic mode = no
## specify access agent. supported are: files, postg. files works with classic mode only
access agent = files
## accouting agent. iptables and ipchains available now. (ipchains is not supported in nonclassic mode)
account agent = iptables
## storage. gdbm, postgre and plain-file supported. (plain-file is not recommended)
storage = gdbm
## rules file for classic mode
rules file = /etc/ipac-ng/rules.conf
## login all users at startup (specific only for nonclassic mode) (only those who has enough cash)
login at start = yes
## support for traffic passing to\from auth host (specific only for nonclassic mode)
## name or ip of the auth host
## disable support if not specified,
##auth host = sibinet.com
# dont store lines contains only zeroes to speedup processing and to save space
drop zero lines = yes
Další informace o konferenci Linux