* Re: netfilter efficiency
2005-01-20 17:56 netfilter efficiency MauroTablo'
@ 2005-01-21 13:30 ` Peter Surda
2005-01-21 13:39 ` Samuel Jean
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Peter Surda @ 2005-01-21 13:30 UTC (permalink / raw)
To: netfilter-devel
On Thu, Jan 20, 2005 at 06:56:04PM +0100, MauroTablo' wrote:
> Hi all.
hi
> The question is: iptables confronts the TCP packet with all my 90 rules, or
> it confronts the packet ONLY WITH rules for tcp packets (-p tcp)? In other
> words, is there a function in netfilter that looks up to the protocol type
> of a transit packet and decides which rules to confront the packet with?
You can optimise this like this:
iptables -N tcp
iptables -N udp
iptables -N icmp
iptables -A FORWARD -p tcp -j tcp
iptables -A FORWARD -p udp -j udp
iptables -A FORWARD -p icmp -j icmp
iptables -A tcp my tcp rules
iptables -A udp my udp rules
iptables -A icmp my icmp rules
> Thank you.
> Mauro.
Bye,
Peter Surda (Shurdeek) <shurdeek@routehat.org>, ICQ 10236103, +436505122023
--
Hello, this is Bill Gates and I pronounce Monopoly, er, Windows as Windows.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: netfilter efficiency
2005-01-20 17:56 netfilter efficiency MauroTablo'
2005-01-21 13:30 ` Peter Surda
@ 2005-01-21 13:39 ` Samuel Jean
2005-01-21 13:42 ` Sven-Haegar Koch
2005-01-21 19:35 ` Maxime Ducharme
2005-01-22 10:12 ` Jan Du Caju
3 siblings, 1 reply; 6+ messages in thread
From: Samuel Jean @ 2005-01-21 13:39 UTC (permalink / raw)
To: MauroTablo'; +Cc: netfilter-devel
On Thu, January 20, 2005 12:56 pm, MauroTablo' said:
> Hi all.
Hi !
> [...]
> The question is: iptables confronts the TCP packet with all my 90 rules,
> or it confronts the packet ONLY WITH rules for tcp packets (-p tcp)?
> In other words, is there a function in netfilter that looks up to the
> protocol type of a transit packet and decides which rules to confront the
> packet with?
Unfortunately, not as far as I know. The NFC_CACHE system hasn't been
implemented yet.
There were plans for this, but I think it won't be implemented untill
pkttables is out. (Just a guess)
By now, your packets just hit every rules and test against your -p proto.
>
> Thank you.
> Mauro.
>
Cheers,
Samuel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: netfilter efficiency
2005-01-21 13:39 ` Samuel Jean
@ 2005-01-21 13:42 ` Sven-Haegar Koch
0 siblings, 0 replies; 6+ messages in thread
From: Sven-Haegar Koch @ 2005-01-21 13:42 UTC (permalink / raw)
To: Samuel Jean; +Cc: MauroTablo', netfilter-devel
On Fri, 21 Jan 2005, Samuel Jean wrote:
> On Thu, January 20, 2005 12:56 pm, MauroTablo' said:
>> [...]
>> The question is: iptables confronts the TCP packet with all my 90 rules,
>> or it confronts the packet ONLY WITH rules for tcp packets (-p tcp)?
[...]
> By now, your packets just hit every rules and test against your -p proto.
To speed up you can use subchains.
iptables -N mytcpchain
iptables -A mytcpchain ....
iptables -A FORWARD -p tcp -j mytcpchain
iptables -A FORWARD -p udp -j myudpchain etc etc
That way iptables needs to check only a subset of your rules.
c'ya
sven
--
The Internet treats censorship as a routing problem, and routes around it.
(John Gilmore on http://www.cygnus.com/~gnu/)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: netfilter efficiency
2005-01-20 17:56 netfilter efficiency MauroTablo'
2005-01-21 13:30 ` Peter Surda
2005-01-21 13:39 ` Samuel Jean
@ 2005-01-21 19:35 ` Maxime Ducharme
2005-01-22 10:12 ` Jan Du Caju
3 siblings, 0 replies; 6+ messages in thread
From: Maxime Ducharme @ 2005-01-21 19:35 UTC (permalink / raw)
To: MauroTablo', netfilter-devel
Hi
I think the packet will traverse every filters
before getting dropped by the policy
suggestion :
add a drop rule after each protocols
if packet is tcp
-A FORWARD -p tcp --dport 123 -j ACCEPT
...
-A FORWARD -p tcp --dport 1234 -j ACCEPT
-A FORWARD -p tcp -j DROP
-A FORWARD -p udp --dport 123 -j ACCEPT
-A FORWARD -p udp --dport 1234 -j ACCEPT
...
-A FORWARD -p udp -j DROP
This way a tcp packet which is not allowed wont
get to udp and icmp rules
Hope this helps
Have a nice day
Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau
----- Original Message -----
From: "MauroTablo'" <m.tablo@libero.it>
To: <netfilter-devel@lists.netfilter.org>
Sent: Thursday, January 20, 2005 12:56 PM
Subject: netfilter efficiency
Hi all.
My Linux (+ iptables) based firewall has about 90 forward filtering rules,
for tcp packets (about 30 rules), udp datagram (about 40 rules) and icmp
messages(about 20 rules).
Suppose that it comes a transit tcp packet that doesn't match anyone of my
rules. So, the last rule will be applied, because it is the first one that
matches the packet (/sbin/iptables -A FORWARD -j DROP)
The question is: iptables confronts the TCP packet with all my 90 rules, or
it confronts the packet ONLY WITH rules for tcp packets (-p tcp)?
In other words, is there a function in netfilter that looks up to the
protocol type of a transit packet and decides which rules to confront the
packet with?
Thank you.
Mauro.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: netfilter efficiency
2005-01-20 17:56 netfilter efficiency MauroTablo'
` (2 preceding siblings ...)
2005-01-21 19:35 ` Maxime Ducharme
@ 2005-01-22 10:12 ` Jan Du Caju
3 siblings, 0 replies; 6+ messages in thread
From: Jan Du Caju @ 2005-01-22 10:12 UTC (permalink / raw)
To: MauroTablo'; +Cc: netfilter
Hi,
On Thu, Jan 20, 2005 at 06:56:04PM +0100, MauroTablo' wrote:
> Hi all.
> My Linux (+ iptables) based firewall has about 90 forward filtering rules, for tcp packets (about 30 rules), udp datagram (about 40 rules) and icmp messages(about 20 rules).
> Suppose that it comes a transit tcp packet that doesn't match anyone of my rules. So, the last rule will be applied, because it is the first one that matches the packet (/sbin/iptables -A FORWARD -j DROP)
>
> The question is: iptables confronts the TCP packet with all my 90 rules, or it confronts the packet ONLY WITH rules for tcp packets (-p tcp)?
> In other words, is there a function in netfilter that looks up to the protocol type of a transit packet and decides which rules to confront the packet with?
You should consider hipac (http://www.hipac.org)
Quote from their webside:
iptables, like most packet filters, uses a simple packet classification
algorithm which traverses the rules in a chain linearly per packet
until a matching rule is found (or not). Clearly, this approach lacks
efficiency. As networks grow more and more complex and offer a wider
bandwidth linear packet filtering is no longer an option if many rules
have to be matched per packet. Higher bandwidth means more packets per
second which leads to shorter process times per packet.
With nf-HiPAC we offer a novel framework for packet classification which
uses an advanced algorithm to reduce the number of memory lookups per
packet. It is ideal for environments where large rulesets and/or high
bandwidth networks are involved. Thereby, the iptables' semantics of the
rules is preserved, i.e. you can construct your rules like you're used
to. From a user's point of view there is no need to understand anything
about the HiPAC algorithm.
At the hipac site you will find a comparison with iptables. The central
firewall of our university ( http://www.kuleuven.ac.be/english/ ) uses
hipac and we are very pleased with it. At the moment there is only an
implementation for a 2.4 kernel but the developers are working on a
2.6 version :-)
Hope this helps,
Jan.
--------------------------------------------------- KULeuvenNet -------
Jan.DuCaju@kuleuven.net http://www.kuleuven.net/e_index.html
K.U.Leuven http://www.kuleuven.ac.be/english/
LUDIT - KULeuvenNet http://ludit.kuleuven.be/index_en.html
de Croylaan 52A 3001 Leuven Belgium
-----------------------------------------------------------------------
^ permalink raw reply [flat|nested] 6+ messages in thread