ipac-ng 1.27 RH9 iptables all update - CPU jede na 100%

Boruvka qWe na scnet.cz
Pondělí Září 8 19:20:56 CEST 2003 

Zdravim ve spolek,
    ma server RH9, 512RAM, 2500AMDXP - pres tento server jdou lide do internetu a na nem je nadefinovano cca 600 pravidel pro IPAC - mereni objemu dat prenesenych uzivateli. S temito pravidli je vsak po nekolika hodinach server vytizen na 100% a je treba jej restartovat.
Pokud vyhodim pravidla IPAC, jede server na 20% a 80% je volnych. Resenim by melo byt "user defined chains" pri IPAC-NG - tedy jakasi stromova struktura pravidel, aby pakety nesly pres vsech 600 pravidel, ale vetvily se a tim by bylo dosazeno ze kazdy paket by sel jen napr. 20-30 pravidly (dle nastaveni prave toho stromu). 
    Nedari se mi vsak nadefinovat "user defined chains" :( Pokud nadefinuji pravidla klasicky, je pocitani OK.

vypis rules.conf:

#zde se snazim z celkoveho datoveho toku vybrat tok do site 192.168.1.0/24
%chain%x168~fi|ipac~fi||all||192.168.1.0/24
%chain%x168~fo|ipac~fo||all|192.168.1.0/24|
%chain%x168~i|ipac~i||all||192.168.1.0/24
%chain%x168~o|ipac~o||all|192.168.1.0/24|

#pokud patri paket do site 192.168.1.0/24 (vyhovuje vyse uvedenemu pravidlu), prozen paket timto pravidlem a pripocitej data dane IP
168002i|x168~fi||all||192.168.1.2
168002o|x168~fo||all|192.168.1.2|
168002i|x168~i||all||192.168.1.2
168002o|x168~o||all|192.168.1.2|
#... zde by toto pravidlo obdobne pokracovalo pro dalsi ip atd...


Pokud dam vypis pravidel iptables, vidim nadefinovana "chains" x168~ pro provoz do "C" 192.168.1.0/24, ale uz nevidim nadefinovane "rules" 168002.

Nikde se neobjevuje zadna chybova hlaska.

Prosim o pomoc, pokud mate nekdo zkusenosti s definovanim uzivatelkskych (stromovych) pravidel pro ipac-ng, jak na to?

    Dekuji za pomoc Boruvka


vypis ipac.conf:

# This is the main ipac-ng configuration file.  It contains the
# configuration directives that give the ipac-ng its instructions.

## mode of operations: operate only like old ipac or not
classic mode = no

## specify access agent. supported are: files, postg. files works with classic mode only
access agent = files

## accouting agent. iptables and ipchains available now. (ipchains is not supported in nonclassic mode)
account agent = iptables

## storage. gdbm, postgre and plain-file supported. (plain-file is not recommended)
storage = gdbm

## rules file for classic mode
rules file = /etc/ipac-ng/rules.conf

## login all users at startup (specific only for nonclassic mode) (only those who has enough cash)
login at start = yes

## support for traffic passing to\from auth host (specific only for nonclassic mode)
## name or ip of the auth host
## disable support if not specified,
##auth host = sibinet.com

# dont store lines contains only zeroes to speedup processing and to save space
drop zero lines = yes

Další informace o konferenci Linux