Re: [netfilter-core] asymptotic complexity when creating new chains and rules

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Rusty Russell <rusty@rustcorp.com.au>
To: Stefan Winter <mail@stefan-winter.de>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [netfilter-core] asymptotic complexity when creating new chains and rules
Date: Sun, 04 Jan 2004 14:51:28 +1100	[thread overview]
Message-ID: <20040104043038.16CC32C2C1@lists.samba.org> (raw)
In-Reply-To: Your message of "Sat, 03 Jan 2004 16:36:10 BST." <200401031636.11291.mail@stefan-winter.de>

In message <200401031636.11291.mail@stefan-winter.de> you write:
> But, if you iterate this process a hundred times (with increasing "N" in the 
> chain name, so that you get 200 chains with 200*62 rules altogether), adding 
> the chains slows down with every new chain (first chain: 20 ms, all chains 
> together 150 SECONDS). This seems to imply that adding a chain (or rule) is 
> of complexity O(n) with n being the number of rules/chains already in the 
> table, where one would expect O(1). Is that right?

Yes.  In particular, the userspace is theoretically O(1), in that if
you read the chains once, kept that copy, and every time updated it
and committed it to the kernel, that would be O(1).  But most uses of
libiptc do "read all rules, insert new one, repeat".  Secondly, the
kernel isn't O(1): it checks for loops, and actually calls all the
rules' matches and targets to check they like where they are.

This is why Harald is working on pkttables, which abandons the whole
"flip the whole table into the kernel approach".

Cheers,
Rusty.
PS.  netfilter-devel is the correct mailing list.
--
  Anyone who quotes me in their sig is an idiot. -- Rusty Russell.

next      parent reply	other threads:[~2004-01-04  3:51 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <200401031636.11291.mail@stefan-winter.de>
2004-01-04  3:51 ` Rusty Russell [this message]
2004-01-05 13:11   ` [netfilter-core] asymptotic complexity when creating new chains and rules Andre Uratsuka Manoel
2004-01-06 19:07     ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040104043038.16CC32C2C1@lists.samba.org \
    --to=rusty@rustcorp.com.au \
    --cc=mail@stefan-winter.de \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.