From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: iptables script file
Date: Thu, 28 Oct 2004 11:05:35 -0400 [thread overview]
Message-ID: <20041028150535.GA4228@bender.817west.com> (raw)
In-Reply-To: <200410281351.i9SDpdoL058208@jkcpub.iserver.net>
On Thu, Oct 28, 2004 at 09:56:36AM -0400, Deepak Seshadri wrote:
> Hello everybody,
>
> Kenneth: Thank you very much for the reply. I'll look into this option.
>
> Does anybody have any other suggestion? How does everyone load their
> rule-set?
here's the state-of-the-union:
loading rules from a script that issues "iptables -A ..." commands over
& over again is not "efficient." whether this inefficiency is a problem
or not depends on the number of rules being loaded. the firewall i'm
testing with uses an actual ruleset of ~100 rules and takes less than 5
seconds to load:
time ./fw start
real 0m4.632s
user 0m0.300s
sys 0m4.310s
here's an example using a script that loads 1024 rules of the form:
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW \
-s 10.x.y.1/24 -j ACCEPT
(where x and y are incremented via a for loop)
# time ./addrules
real 0m20.855s
user 0m0.410s
sys 0m20.440s
now, let's do an "iptables-save" on those loaded rules, and see how long
an "iptables-restore" takes:
# time iptables-restore 1000rules.save
real 0m1.253s
user 0m0.080s
sys 0m1.130s
all these tests are performed on the same machine:
Linux vmg2 2.4.26-gentoo-r9 #2 Fri Sep 3 07:13:35 EDT 2004 i686 Intel(R)
Pentium(R) M processor 1.70GHz GenuineIntel GNU/Linux
192 MB RAM
so, the upshot is this--if your ruleset is sufficiently large to make
the inefficiency of scripted "iptables" commands a problem--you'll need
to use "iptables-restore" to load your rules. once you get the hang of
it, it really isn't that hard to just edit the "iptables-restore" file
format (even though this isn't "recommended").
hope this helps...
-j
--
Jason Opperisano <opie@817west.com>
next prev parent reply other threads:[~2004-10-28 15:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-25 21:26 iptables script file Deepak Seshadri
2004-10-25 21:28 ` Kenneth Porter
2004-10-28 13:56 ` Deepak Seshadri
2004-10-28 15:05 ` Jason Opperisano [this message]
2004-10-30 21:00 ` Jose Maria Lopez
2004-11-03 17:14 ` Deepak Seshadri
2004-10-28 15:14 ` Michael Gale
-- strict thread matches above, loose matches on Subject: below --
2004-10-31 1:52 Gary Smith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041028150535.GA4228@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.