ip6tables -L slow to respond

**eriza** · 09-16-2009

Hello,

I have a CentOS running on an Xen VM. I have a problem when displaying ip6tables rules. It takes some seconds (~30-60 sec) to display the used IPv6 firewall rules, e.g. using:

# ip6tables -L -t mangle

I don't know what changes I've made to the system in the meantime; this thing happens only recently.

Could anyone give a hint where to look?

Thanks,
Eriza

**Lazydog** · 09-16-2009

Is this the only slow command or is everything slow?

**eriza** · 09-16-2009

Hi Robert,

it's the only one that is slow. I mean, it takes a while until the output is returned to the console. Everything else runs ok.

Eriza

**Lazydog** · 09-16-2009

Have your tried to use any debugging on this issue? That would be where I would start. That. and check log files. Are you using ipv6 on your network? If not you should shut it off.
What do your rules look like?

**eriza** · 09-17-2009

I can't disable IPv6; I'm testing it

The rule is just one line:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK 0 anywhere 2001:a:1::/64 MARK set 0x64

In the mean time I followed your suggestion to use debugger. I tried with strace, and found out that ip6tables tries to connect to the nameserver IP address which is listed in the file /etc/resolv.conf. This file is somehow not correctly configured; the IP address listed there are not reachable. The delay in displaying ip6tables output turns out to be the delay waiting for the response from these unreachable nameservers. Correcting the file solves the problem.

Thanks very much for the hint!

**eriza** · 09-17-2009

Another possibility is to use -n option for ip6tables. This way it will not try to resolve names. E.g.:

ip6tables -n -L -t mangle

Rgds,
Eriza

Thread Tools

Display

ip6tables -L slow to respond

Problem solved

Posting Permissions