Further speedup of iptables when modifying an existing ruleset

Further speedup of iptables when modifying an existing ruleset

[Thomas Jacob]

[-- Attachment #1.1: Type: text/plain, Size: 490 bytes --]

Hello list,

Here's a patch to speed up iptcc_find_chain_by_offset 
(O(n)->O(log(n)) by creating a lookup table while
initially translating the kernel blob.

In my test case a second iptables-restore with a file containing
~50k chains with 120k~ rules takes 11s instead of 1m30s (on a VM).
iptables -vnL SOMECHAIN takes 0.5s instead of 1m12s.

Comments and suggestions would be very welcome, as would
be inclusion into the mainline distribution ;-)

    Regards,
	Thomas



[-- Attachment #1.2: 0001-Speed-up-verdict-to-chain_head-mapping-by-using-bina.patch --]
[-- Type: application/mbox, Size: 10036 bytes --]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Further speedup of iptables when modifying an existing ruleset

[Patrick McHardy]

Thomas Jacob wrote:
> Hello list,
> 
> Here's a patch to speed up iptcc_find_chain_by_offset 
> (O(n)->O(log(n)) by creating a lookup table while
> initially translating the kernel blob.
> 
> In my test case a second iptables-restore with a file containing
> ~50k chains with 120k~ rules takes 11s instead of 1m30s (on a VM).
> iptables -vnL SOMECHAIN takes 0.5s instead of 1m12s.

That sounds great.

> Comments and suggestions would be very welcome, as would
> be inclusion into the mainline distribution ;-)

Please resend the patch inline (or using Content-Disposition: inline;
instead of attachment) so people can view it in their mail clients.