* Loding rules
@ 2002-12-11 18:12 nedco
2002-12-16 10:47 ` Roberto Nibali
2002-12-16 19:42 ` Joel Newkirk
0 siblings, 2 replies; 4+ messages in thread
From: nedco @ 2002-12-11 18:12 UTC (permalink / raw)
To: netfilter
Hi,
How to load fast about 20000 rules in iptables.
If some document will be help , please let me know :)
Thanks a lot
Nedco
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Loding rules
2002-12-11 18:12 Loding rules nedco
@ 2002-12-16 10:47 ` Roberto Nibali
2002-12-16 19:42 ` Joel Newkirk
1 sibling, 0 replies; 4+ messages in thread
From: Roberto Nibali @ 2002-12-16 10:47 UTC (permalink / raw)
To: nedco; +Cc: netfilter
> Hi,
> How to load fast about 20000 rules in iptables.
> If some document will be help , please let me know :)
Netfilter is not designed for that. Please use the nf-hipac[1] drop-in
replacement. NF-hipac will do the filtering and rule organisation for you and
for the rest (NAT, mangle) you can still use netfilter. Also you should check if
you can't logically draw a binary tree with your rules which would then result
in faster matching lookup (at least with netfilter).
And no: iptables-save/restore is _not_ an option for dynamically changing rules!
If you have that many rules you certainly have a logic or kind of a matrix
behind that. Try to use some algebraic transformations (linear translation,
Laplace (define network flows), Gauss, TSP, ...) to optimize the ruleset. I have
done this and successfully reduced the number of rules.
[1] http://www.hipac.org
Regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Loding rules
2002-12-11 18:12 Loding rules nedco
2002-12-16 10:47 ` Roberto Nibali
@ 2002-12-16 19:42 ` Joel Newkirk
1 sibling, 0 replies; 4+ messages in thread
From: Joel Newkirk @ 2002-12-16 19:42 UTC (permalink / raw)
To: nedco, netfilter
On Wednesday 11 December 2002 01:12 pm, nedco@unacs.bg wrote:
> Hi,
> How to load fast about 20000 rules in iptables.
> If some document will be help , please let me know :)
>
> Thanks a lot
> Nedco
As long as you don't need to dynamically define the rules (IE using a
dynamic IP) iptables-save and iptables-restore should be your simple
answer. Oscar's tutorial explains save and restore at:
http://iptables-tutorial.frozentux.net/chunkyhtml/saveandrestore.html
These will load the complete ruleset in a very few operations, instead of
about 40000. (based on your 20000 figure above)
j
^ permalink raw reply [flat|nested] 4+ messages in thread
* Loding rules
@ 2002-12-11 18:16 nedco
0 siblings, 0 replies; 4+ messages in thread
From: nedco @ 2002-12-11 18:16 UTC (permalink / raw)
To: netfilter-devel
Hi,
How to load fast about 20000 rules in iptables.
If some document will be help , please let me know :)
Thanks a lot
Nedco
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-12-16 19:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-11 18:12 Loding rules nedco
2002-12-16 10:47 ` Roberto Nibali
2002-12-16 19:42 ` Joel Newkirk
-- strict thread matches above, loose matches on Subject: below --
2002-12-11 18:16 nedco
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.