Find the answer to your Linux question:
Results 1 to 6 of 6
Hello, I have a CentOS running on an Xen VM. I have a problem when displaying ip6tables rules. It takes some seconds (~30-60 sec) to display the used IPv6 firewall ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2009
    Location
    Germany
    Posts
    12

    ip6tables -L slow to respond


    Hello,

    I have a CentOS running on an Xen VM. I have a problem when displaying ip6tables rules. It takes some seconds (~30-60 sec) to display the used IPv6 firewall rules, e.g. using:

    # ip6tables -L -t mangle

    I don't know what changes I've made to the system in the meantime; this thing happens only recently.

    Could anyone give a hint where to look?

    Thanks,
    Eriza

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Is this the only slow command or is everything slow?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Aug 2009
    Location
    Germany
    Posts
    12
    Hi Robert,

    it's the only one that is slow. I mean, it takes a while until the output is returned to the console. Everything else runs ok.

    Eriza

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Have your tried to use any debugging on this issue? That would be where I would start. That. and check log files. Are you using ipv6 on your network? If not you should shut it off.
    What do your rules look like?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Aug 2009
    Location
    Germany
    Posts
    12

    Thumbs up Problem solved

    I can't disable IPv6; I'm testing it The rule is just one line:

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    MARK 0 anywhere 2001:a:1::/64 MARK set 0x64

    In the mean time I followed your suggestion to use debugger. I tried with strace, and found out that ip6tables tries to connect to the nameserver IP address which is listed in the file /etc/resolv.conf. This file is somehow not correctly configured; the IP address listed there are not reachable. The delay in displaying ip6tables output turns out to be the delay waiting for the response from these unreachable nameservers. Correcting the file solves the problem.

    Thanks very much for the hint!

  6. #6
    Just Joined!
    Join Date
    Aug 2009
    Location
    Germany
    Posts
    12
    Another possibility is to use -n option for ip6tables. This way it will not try to resolve names. E.g.:

    ip6tables -n -L -t mangle

    Rgds,
    Eriza

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •