Topic: masquerading :: iptables :: templating

[piran]

I'm looking for a way to speed up the compile of the iptables
templating for masquerading. Through no fault of its own SME8
is taking a couple of minutes to restart the masq task after busily
compiling some 9000 custom-templated lines of user iptables rules.
These rules are necessary here so may we concentrate on ways
of getting the existing compile job done more quickly ie reducing
the 'pregnant pause' in connectivity until masquerading restarts.

Observing with htop I see 4 out 8 CPU cores each working at
about 25% utilisation until masq has successfully restarted.
Email and ibay web sites are 'out of action' until masq is back
up so the task *CAN* be allowed to occupy more utilisation
eg by increasing NICE values on whatever does this work?

The latency of the masq compile became unhelpfully long some
years ago but I worked around this by building a new server
with higher spec components - the then existing server being
very old and slow. The current server is pretty decent...

I looked into the native base template and saw that it flushed
the user stuff early on so that knocks on the head any attempt
to fashion up an initial standing list that might perhaps compile a
little faster. In any case I have become a great fan of templating
so would rather stick to what our hard working Devs have authored.

Streamlining out any or all of the (optional) comment elements
of each rule is irrelevant as SME appears to do that for itself.

However, as iptables is an implicit part of masquerading, I notice
that just over half of each line of rule is made up of the same
command element and wonder if that might be better used in
an external command loop that just needs the IP address
range in a great long list? Does that make sense? The data
file would then be half the size... would that speed it up?

I've tried multiple custom-templates, ditto sorted ones and also
a massive sorted single custom-template but the upshot pretty
much each time proved irrelevant in regards getting the masq
restart completed any or much more quickly. 9000 lines of
anything appears to take its toll in overall processing
speed - howsoever it's configured for the server!

Finally, is there a way of getting the web sites hosted on
SME8 to exhibit automatic '503 Service Unavailable' flags
until the masquerading compile is completed? Currently
everything just appears dead and unresponsive from
the outside and that's not very useful or helpful.

[mmccarn]

Can you modify your custom rules using the secondary chain trick that SME uses for port forwards?

If you look at the default template fragments related to port forwarding, you'll see that SME does this:

42SetupPortForwarding
- Create a port forwarding chain that jumps to a secondary port forwarding chain
- Create an empty secondary port forwarding chain

91adjustPortForward
- Create a NEW secondary port forwarding chain
- Update the base port forwarding chain to jump to the new port forwarding chain.
- Destroy the now-unused secondary port-forwarding chain

I believe the point of this process is to allow updates to the port forwarding rules without any significant firewall down-time (without actually restarting masq, using an ADJUST signal instead of a SIGHUP signal).

[piran]

I am not familiar at all with 'Port Forwarding' and have
never actually 'used' one on any of my SME iterations.
Seems obvious that masquerading *IS* port forwarding
so looks like it's time to get the manual out again:-)
And I *DO* like the sound of 'using an ADJUST signal
with no significant firewall down-time'. Will return to
this thread with some results or at least observations.

[janet]

piran

Also look up the use of mangle when adjusting masq. It may also help.

[piran]

>>the use of mangle when adjusting
Yup... should help iron things out;-)
( couldn't resist it )