From mboxrd@z Thu Jan 1 00:00:00 1970 From: Carl-Daniel Hailfinger Subject: Re: iptables modules efficiency, caching in conntrack Date: Mon, 15 May 2006 21:29:57 +0200 Message-ID: <4468D6B5.20108@gmx.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: netfilter-devel@lists.netfilter.org Return-path: To: Amin Azez In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Hi Amin, Amin Azez wrote: > I've done work with a few iptables modules, conntrack, ipt_recent, > ipt_account (recently) and others. > > The design usually consists of a module specific storage using some > aspects of the connection or packet as a key to the storage. > > For each packet, each module calculates the key, fetches and locks the > storage record, makes decisions and updates, unlocks and continues. > > I also notice a similarity between many modules, ipt_set, ipt_recent, > ipt_account, and think how much space and time is used less efficiently > when more than one of these are used together. Have you looked at ipt_ACCOUNT (the capitalized one)? IIRC their storage model is quite efficient and works fine even under memory pressure and requires only 0-order-allocations. If you want, I can supply you with a 64-bit-clean kernel-2.6 version of ipt_ACCOUNT. Regards, Carl-Daniel -- http://www.hailfinger.org/