From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?Martin_Schi=F8tz?= Subject: iptables performance Date: Wed, 25 May 2005 19:20:53 +0000 Message-ID: Reply-To: =?ISO-8859-1?Q?Martin_Schi=F8tz?= Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hi=20 I'm planning to set up a bridge running iptables on an uplink of a lot of internet user. The uplink is on maximum at about 30 mbit/s. There are about 1800 * /29 ip nets - some /29 nets needs to be stopped be the bridge and some can pass. I'm wondering about the performance of iptables when having 1800*2 rules worst case (PREROUTING rules on src and dst nets). Actually I have made some kind of hashing using user defined rules. This gives a maximum of a packet to travel through about 65 + 32 rules. I have not tested live - before I do this, I would like to know if anybody here have any experience or idea about performance with that kind of traffic load and number of rules? Best regards, Martin My user defined rules: iptables -t mangle -N 10.0.0.0/24 ... ... iptables -t mangle -N 10.0.x.x/24 iptables -t mangle -I 10.0.0.0/24 1 -m physdev --physdev-in $IF_DOWN -s 10.0.0.0/29-j ACCEPT iptables -t mangle -I 10.0.0.0/24 1 -m physdev --physdev-in $IF_UP -d=20 10.0.0.0/29 -j ACCEPT ... ... iptables -t mangle -A 10.0.0.0/24 -j DROP ... ... iptables -t mangle -I PREROUTING 4 -m physdev --physdev-in $IF_DOWN -s $CUSTOMER_NET_1 --goto 10.0.0.0/24 iptables -t mangle -I PREROUTING 4 -m physdev --physdev-in $IF_UP -d $CUSTOMER_NET_1 --goto 10.0.0.0/24 ... ... iptables -t mangle -I PREROUTING 4 -m physdev --physdev-in $IF_DOWN -s $CUSTOMER_NET_1 --goto 10.0.x.x/24 iptables -t mangle -I PREROUTING 4 -m physdev --physdev-in $IF_UP -d $CUSTOMER_NET_1 --goto 10.0.x.x/24