Re: Many Many table rules - Aleksandar Milivojevic

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
To: netfilter@lists.netfilter.org
Subject: Re: Many Many table rules
Date: Wed, 15 Sep 2004 10:57:42 -0500	[thread overview]
Message-ID: <41486676.9000807@pbl.ca> (raw)
In-Reply-To: <d82fbdb70409150521fa65d77@mail.gmail.com>

Michael Eck wrote:
> Your first suggestion would, in my case, work better by first matching
> by IP.  How much performance gain would I really achieve?  Is there a
> way to quantify the impact that a given number of rules would have? 
> In other words, is the difference between 200 and 1000 rules dramatic?

Depends on the speed of CPU, number and speed of network devices, and 
ammount and type of traffic.  Software router/firewall can cope quite 
well with multiple 100 MBps average office networks.  On the other hand 
multiple heavily loaded gigabit interfaces can place really high load on 
software routers/firewalls.  That is where Cisco comes into play with 
high-end hardware based routers.  One way to tell is to monitor how much 
time is your CPU spends in idle state.  Is it like 90 or 99%.  Or is it 
closer to 10, 5 or 0%.  In the later case, anything you can optimize 
will show up dramatically.

If you already implemented my second suggestion, than answer is probably 
not much.  Since most of your packets are going to be matched/accepted 
by the time they reach your rule number 2.  Apart that lag inserted by 
your firewall during connection establishing will be ~4-5 times shorter 
(these packets have to go through either 200 or 1000 rules, instead of 
just 2 rules that second and subsequent packets will go through).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

     prev parent reply	other threads:[~2004-09-15 15:57 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-09-14 17:06 Many Many table rules Michael Eck
2004-09-14 19:24 ` Aleksandar Milivojevic
2004-09-15 12:21   ` Michael Eck
2004-09-15 15:57     ` Aleksandar Milivojevic [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41486676.9000807@pbl.ca \
    --to=amilivojevic@pbl.ca \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.