From: Pablo Neira Ayuso <pablo@netfilter.org>
To: John Bourke <john.bourke@mobileinternet.com>
Cc: 'Michele Petrazzo - Unipex srl' <michele.petrazzo@unipex.it>,
netfilter@vger.kernel.org
Subject: Re: Iptables execution time
Date: Fri, 17 Oct 2008 13:53:19 +0200 [thread overview]
Message-ID: <48F87CAF.9000507@netfilter.org> (raw)
In-Reply-To: <002301c92fe5$3234ff00$969efd00$@bourke@mobileinternet.com>
John Bourke wrote:
> Folks,
>
> I ran some tests tonight. I took our usual firewall rule count of about
> 5000 rules and added another 25,000. At every 100 added I measured the time
> taken to add the last of the 100.
>
> After the first 100 rules, a rule was added in 29ms. After 25,000 rules
> were added last the rule was added in 169ms. The total number of rules at
> the end was 29716.
>
> On another system, the 100th rule added in 40ms, the 25,000th rule added in
> 90ms, and the total rule count at the end was 32227.
>
> The rule add was a simple
>
> iptables -I FORWARS -s 10.0.a.b -j ACCEPT
>
> Where a was from 1 to 250 and b was from 1 to 100. So I was not doing
> anything more complex.
>
> Even at 40ms, I can only load 25 rules a second. As I have a dynamic
> firewall which changes every second, and each of my users has about 25
> rules, I can only handle one user addition or removal a second. I would
> like to do 10 per second, 250 rules per second.
>
> Are there better ways to do this, iptables-restore, ipset ?
Use iptables-restore -n and pipe the rules updates for dynamic rule
addition and deletion.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
prev parent reply other threads:[~2008-10-17 11:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-16 17:29 Iptables execution time Michele Petrazzo - Unipex srl
2008-10-16 17:48 ` Pablo Neira Ayuso
2008-10-16 18:17 ` Michele Petrazzo - Unipex srl
[not found] ` <002301c92fe5$3234ff00$969efd00$@bourke@mobileinternet.com>
2008-10-17 11:53 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48F87CAF.9000507@netfilter.org \
--to=pablo@netfilter.org \
--cc=john.bourke@mobileinternet.com \
--cc=michele.petrazzo@unipex.it \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.