| Re: Can you use "ipset" with OpenVZ 7 / Virtuozzo 7? [message #53550 is a reply to message #53549] |
Mon, 17 June 2019 11:18  |
wsap
Messages: 56
Registered: March 2018
Location: Halifax, NS
|
Member |
|
|
Hey HHawk,
I haven't specifically used Juggernaught before, but I have used a few other firewall solutions and, as long as NETFILTER=full is enabled on the container, they've all worked great.
Even with vz7 I *have* seen slowdowns when too many containers have too many standard iptables rules per node, however I haven't analyzed it in any great detail. This is the big advantage of ipset; you can use that to set up huge chains of rules without any such slowdowns. Hopefully juggernaught uses it too?
I generally try to keep my numiptent to under 5000 per container. I *think* when I ran into trouble it was around 20000 rules across all containers on a node. I'd suggest that juggernaught start using ipset instead. If that's not likely to happen, could always check out csf -- it uses ipset.
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
