From: Joubert Berger <joubertb@gmail.com>
To: Steven M Campbell <Netfilter@scampbell.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: iptables-restore vs iptables-restore --noflush performance
Date: Mon, 25 Jul 2005 16:46:30 -0400 [thread overview]
Message-ID: <63d3731e05072513464c3fdf9b@mail.gmail.com> (raw)
In-Reply-To: <42E53D24.2020203@SCampbell.net>
Actually, what I do is load the first time the 6600 rules. The next
time I load the 6600 rules, I load them using different chains. At
the end, I just change FORWARD to point to the newly created chains
and then delete the old chains.
Are you saying, if I have 6600 rules loaded, no matter what chain I
add the next 6600 rules (i.e. totaly new chain), performance is going
to go up? In other words, performance (inserting of rules) is tied to
# of total rules and not # of rules added to a chain?
TIA
--joubert
On 7/25/05, Steven M Campbell <Netfilter@scampbell.net> wrote:
> Joubert Berger wrote:
> >Anyone know why I would get a big performance difference between
> >"iptables-restore" and "iptables-restore --noflush"?
> >
> >I have 6600 rules. If I load with iptables-restore, it takes about 30sec.
> >If I use noflush, that turns in 1 min and 20+ seconds.
> >
> >--joubert
> >
> >
> Because you have 6600 rules and when you use no-flush you are adding
> another 6600? If you do it several
> times in a row I'll bet the time keeps getting worse.
>
> The insert time for each rule is, among other things, dependent on the
> number of rules that
> must be searched/manipulated, thus an explanation for the times you see.
>
> You should only use --noflush if you really intend to add rules to the
> current rule set rather
> than replace them all. What are you trying to accomplish here?
>
>
>
>
prev parent reply other threads:[~2005-07-25 20:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-25 19:13 iptables-restore vs iptables-restore --noflush performance Joubert Berger
2005-07-25 19:27 ` Steven M Campbell
2005-07-25 20:46 ` Joubert Berger [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=63d3731e05072513464c3fdf9b@mail.gmail.com \
--to=joubertb@gmail.com \
--cc=Netfilter@scampbell.net \
--cc=joubert@berger-family.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.