From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Pandu Poluan <pandu@poluan.info>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: ipset -R
Date: Fri, 25 Feb 2011 16:27:33 +0000 [thread overview]
Message-ID: <4D67D875.4000103@googlemail.com> (raw)
In-Reply-To: <AANLkTi=_igg_4QXup3uU1A-UhhTNPXG_GOBvSqGMLzgW@mail.gmail.com>
> I haven't perused netfilter code yet, so what I'll say is highly conjectural.
>
> IMO, the single (1) rule will be a lot faster:
> * Only 1 (one) check for whitelist
> * x checks for blacklist-checks
>
> Total checks (worst-case): 1+x (and if the negated result of whitelist
> check == false, no need for x blacklist-checks)
>
> Best case: 1 check ( IP in whitelist, so ! whitelist == false,
> iptables' rule is short-circuited )
>
> Rule (2):
> * A total of x times ( whitelist check + blacklist-check )
>
> Total checks (worst-case): x * 2
>
> Best case: x * 1 ( only check against whitelist, but repeated for x rules )
>
The above makes perfect sense and is more or less what I assumed would
be the case, though I thought of even a better way, which would remove
the need of using a list-type set:
-m set ! --match-set whitelist src -j $BLACKLIST_PROCESSING_CHAIN
where $BLACKLIST_PROCESSING_CHAIN contains all the blacklist elements
and another jump to DROP - as is the case at present. There are at least
two major advantages as far as I can see: 1) I could log/see the number
of packets dropped for each particular blacklist-x set (something I
would have lost with the use of list-type set as everything would have
been lumbered in one place); and 2) performance-wise there won't be any
difference from what is the case at present - with deleting set members
and only using the blacklist-x sets, although I have to admit that if I
have used a single list-type set with a single iptables statement I
think the performance would have been a little bit better.
> IMO, iptables lookups are much more expensive than ipset lookups. (
> IOW, n * iptables checks is much more expensive than 1 * iptables
> check against a setlist with n members ). So, the speedup of (1)
> against (2) will be even more significant.
>
Absolutely - the main reason I switched to ipset, as asking iptables to
traverse through more than, say, 2500 statements in a single chain is
asking for trouble!
prev parent reply other threads:[~2011-02-25 16:27 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-23 0:58 ipset -R Mr Dash Four
2011-02-23 19:20 ` Jozsef Kadlecsik
2011-02-23 22:58 ` Mr Dash Four
2011-02-24 0:05 ` Pandu Poluan
2011-02-24 5:16 ` Pandu Poluan
2011-02-24 12:18 ` Mr Dash Four
2011-02-25 8:38 ` Jozsef Kadlecsik
2011-02-25 13:27 ` Mr Dash Four
2011-02-25 14:06 ` Jozsef Kadlecsik
2011-02-25 16:13 ` Mr Dash Four
2011-02-25 22:22 ` Jozsef Kadlecsik
2011-02-26 13:35 ` Mr Dash Four
2011-02-25 14:19 ` Pandu Poluan
2011-02-25 16:27 ` Mr Dash Four [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D67D875.4000103@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter@vger.kernel.org \
--cc=pandu@poluan.info \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.