* how many rules can be added?
@ 2004-09-16 14:10 Alaadin
2004-09-16 16:48 ` Marc Haber
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Alaadin @ 2004-09-16 14:10 UTC (permalink / raw)
To: netfilter
Hello,
how many ip tables rules can i add ?
i added already 40
if i added untill 100 or 500 rule
would this make problems ?
would this make the system lag ?
would this make the system hang
how many ip tables rules can i add ? or its unlimited?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: how many rules can be added?
2004-09-16 14:10 how many rules can be added? Alaadin
@ 2004-09-16 16:48 ` Marc Haber
2004-09-16 16:49 ` John A. Sullivan III
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Marc Haber @ 2004-09-16 16:48 UTC (permalink / raw)
To: Alaadin; +Cc: netfilter
On Thu, Sep 16, 2004 at 05:10:27PM +0300, Alaadin wrote:
> how many ip tables rules can i add ?
As long as you have enough memory.
> i added already 40
> if i added untill 100 or 500 rule
I have once used a rule set with 8500 rules.
> would this make problems ?
maybe.
> would this make the system lag ?
maybe.
> would this make the system hang
probably not.
> how many ip tables rules can i add ? or its unlimited?
Pretty much unlimited.
Real impact on your system's performance will depend on the structure
of your rule set. If you have 6000 rules that will never match, so
that every packet has to traverse all of these rules before it is
finally accepted, you will feel a noticeable impact. If you, however,
ACCEPT established and related packets early in your rule chain, you
will most probably be fine with tens of thousands of rules.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Karlsruhe, Germany | lose things." Winona Ryder | Fon: *49 721 966 32 15
Nordisch by Nature | How to make an American Quilt | Fax: *49 721 966 31 29
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: how many rules can be added?
2004-09-16 14:10 how many rules can be added? Alaadin
2004-09-16 16:48 ` Marc Haber
@ 2004-09-16 16:49 ` John A. Sullivan III
2004-09-16 21:26 ` Frank Gruellich
2004-09-17 9:33 ` Jan Du Caju
3 siblings, 0 replies; 5+ messages in thread
From: John A. Sullivan III @ 2004-09-16 16:49 UTC (permalink / raw)
To: Alaadin; +Cc: netfilter
On Thu, 2004-09-16 at 10:10, Alaadin wrote:
> Hello,
>
> how many ip tables rules can i add ?
> i added already 40
> if i added untill 100 or 500 rule
> would this make problems ?
> would this make the system lag ?
> would this make the system hang
> how many ip tables rules can i add ? or its unlimited?
You can add many more than 500! For the complex security we manage on
the ISCS project (http://iscs.sourceforge.net), we frequently encounter
rule sets many times this size.
As your rule set grows, you will want to pay attention to two particular
needs:
1) Optimize the traversal of your rule sets by using user defined
chains. This is analogous to database indexing. Sort your packets as
they come in and direct them to a subset of the total rules.
2) Optimize the load time of the rules. This is noticeable even with
relatively small rule sets. Use iptables-restore -n instead of loading
each rule separately with an iptables command.
Hope this helps - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: how many rules can be added?
2004-09-16 14:10 how many rules can be added? Alaadin
2004-09-16 16:48 ` Marc Haber
2004-09-16 16:49 ` John A. Sullivan III
@ 2004-09-16 21:26 ` Frank Gruellich
2004-09-17 9:33 ` Jan Du Caju
3 siblings, 0 replies; 5+ messages in thread
From: Frank Gruellich @ 2004-09-16 21:26 UTC (permalink / raw)
To: netfilter
* Alaadin <alaadin@alaadin.org> 16. Sep 04:
> Hello,
Hi,
> how many ip tables rules can i add ?
<URL:http://lists.netfilter.org/pipermail/netfilter/2004-March/050891.html>
> i added already 40
> if i added untill 100 or 500 rule
> would this make problems ?
No.
> would this make the system lag ?
> would this make the system hang
Depends on your system: is it something with 8MHz and 4MBs of RAM? I
have a router (P2, 133MHz, 24MB). In daily work it has about 200 rules
and a throughput of ~160KB/s. Adding 6000 "-s $RANDOMIP -d $RANDOMIP -j
LOG"'s resulted in a throughput of ~100KB/s and a nice system load.
> or its unlimited?
No. HTH,
regards, Frank.
--
Sigmentation fault
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: how many rules can be added?
2004-09-16 14:10 how many rules can be added? Alaadin
` (2 preceding siblings ...)
2004-09-16 21:26 ` Frank Gruellich
@ 2004-09-17 9:33 ` Jan Du Caju
3 siblings, 0 replies; 5+ messages in thread
From: Jan Du Caju @ 2004-09-17 9:33 UTC (permalink / raw)
To: Alaadin; +Cc: netfilter
On Thu, Sep 16, 2004 at 05:10:27PM +0300, Alaadin wrote:
> Hello,
>
> how many ip tables rules can i add ?
> i added already 40
> if i added untill 100 or 500 rule
> would this make problems ?
> would this make the system lag ?
> would this make the system hang
> how many ip tables rules can i add ? or its unlimited?
If you have many rules and/or high bandwidth you should consider hipac
(High Performance Packet Classification) It uses the netfilter hooks
and ... checkout yourself at http://www.hipac.org
There is also a performance comparison with iptables ...
It exists for a 2.4 kernel. A 2.6 version is promissed for october 2004.
As we (our university http://www.kuleuven.be/english) have many rules
we use it and with success
Hope this helps,
Jan.
--------------------------------------------------- KULeuvenNet ----
Jan.DuCaju@kuleuven.net http://www.KULeuven.Net/e_index.html
K.U.Leuven BELGIUM http://www.kuleuven.be/english
--------------------------------------------------------------------
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-09-17 9:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-16 14:10 how many rules can be added? Alaadin
2004-09-16 16:48 ` Marc Haber
2004-09-16 16:49 ` John A. Sullivan III
2004-09-16 21:26 ` Frank Gruellich
2004-09-17 9:33 ` Jan Du Caju
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.