Memory Loading

Memory Loading

[Patrick Turley]

Our system has potentially a few thousand firewall rules. I need to find 
out the amount of memory these that firewall rules consume. If you have 
this information at hand, or can point me to a useful web site, that 
would be great. Failing that, a pointer to specific source files would 
also be marvelous.

Re: Memory Loading

[Friedrich Lobenstock]

Patrick Turley wrote on 19.04.2004 21:58 MET:
> Our system has potentially a few thousand firewall rules. I need to find 
> out the amount of memory these that firewall rules consume. If you have 
> this information at hand, or can point me to a useful web site, that 
> would be great. Failing that, a pointer to specific source files would 
> also be marvelous.
> 

Would be interesting to know what you find out about this.

# iptables -L -n | wc -l
    6323                       (minus some few lines of text output)

That's 99.8% "accounting-only" rules with 0.2% filtering rules.

BTW I have set hashsize = ip_conntrack_max = 1785961. Therefore max. 510 MB 
will be allocate to conntrack. That much max. memory for conntrach will 
probably never be needed at all, but the memory is there, so why not ;-). I 
think this had more influence on the memory usage than all the rules 
together. No exact numbers to compare with, sorry.

How many rules would you want to install?

-- 
MfG / Regards
Friedrich Lobenstock