Maximum Number of Chains

Maximum Number of Chains

[Paul Caritj]

Greetings, I hope everyone is well.
Though I suspect the subject line adequately conveys my question, I will 
restate it: Does anyone out there know the maximum number of chains per 
table?

Many thanks,
Paul

-- 



------------------------------
Paul James Caritj

President
Freespace Networks, Inc.
pcaritj@freespace-networks.net

Maximum Number of Chains

[Paul Caritj]

Greetings,
Hope everyone is well.

My question is a simple one: does anyone know if there is a maximum 
number of chainns per filter (or, if its the case, overall)? If so, what 
is this maximum?

Many thanks,
Paul

Re: Maximum Number of Chains

[Ralf Spenneberg]

Am Sam, 2003-08-30 um 06.16 schrieb Paul Caritj:
> Greetings, I hope everyone is well.
> Though I suspect the subject line adequately conveys my question, I will 
> restate it: Does anyone out there know the maximum number of chains per 
> table?
Well, I just created 1000 and it still worked.
for i in `seq 1 1000`; do iptables -N chain$i; done

How many do you need?

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

RE: Maximum Number of Chains

[George Vieira]

How much memory do you have???

I've added at once stage around 500+ rules in once chain alone, if that helps you in anyway..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
 

-----Original Message-----
From: Paul Caritj [mailto:pcaritj@freespace-networks.net]
Sent: Saturday, August 30, 2003 2:16 PM
To: netfilter@lists.netfilter.org
Subject: Maximum Number of Chains


Greetings, I hope everyone is well.
Though I suspect the subject line adequately conveys my question, I will 
restate it: Does anyone out there know the maximum number of chains per 
table?

Many thanks,
Paul

-- 



------------------------------
Paul James Caritj

President
Freespace Networks, Inc.
pcaritj@freespace-networks.net

Re: Maximum Number of Chains

[Julian Gomez]

On Sat, Aug 30, 2003 at 12:16:13AM -0400, Paul Caritj spoke thusly:
>Greetings, I hope everyone is well.
>Though I suspect the subject line adequately conveys my question, I will 
>restate it: Does anyone out there know the maximum number of chains per 
>table?

No idea what is the maximum. But the more rules you add, the slower the
additions become (I think Harald mentioned this previously). 

Also, if you have a long list of rules (eg: 700 different rules within the
FORWARD chain) -- and you decide to remove rule #467. All the rules need to
be copied to a temporary area, rule #467 removed, everything from the
temporary buffer copied back. That adds to the slowness.

I think the devel guys are working on tweaking the table type used in the
2.5/2.6 kernels. They should be able to shed more information, or you can
dig through the archives.

RE: Maximum Number of Chains

[Tim Evans]

On Wed, 3 Sep 2003 09:25:51 +1000, George Vieira wrote
> How much memory do you have???
> 
> I've added at once stage around 500+ rules in once chain alone, if 
> that helps you in anyway..

Seems to me if you have to ask about the maximum number of rules, you already
have too many. There are ways to create general rules that apply to many
cases--i.e., address ranges, port ranges, etc.
--
Tim Evans                       |    5 Chestnut Court
tkevans@tkevans.com             |    Owings Mills, MD 21117
http://www.tkevans.com/         |    443-394-3864
http://www.come-here.com/News/  |    

Re: Maximum Number of Chains

[Paul Caritj]

Agreed,
Heres my situatuation: I need to create rules on the fly for 
(potentially) up to 4000 users. What I need is a way to delete *all* the 
rules for a given ip address without knowing the full contents of the 
rule (only the ip); as you might have guessed, I'm doing this 
programatically.

My current solution is to have one chain for each associated IP. Is 
there a better solution to this problem?

As for memory...I can have as much as I need, if anyone knows how much 
that would be. :)

Tim Evans wrote:

>On Wed, 3 Sep 2003 09:25:51 +1000, George Vieira wrote
>  
>
>>How much memory do you have???
>>
>>I've added at once stage around 500+ rules in once chain alone, if 
>>that helps you in anyway..
>>    
>>
>
>Seems to me if you have to ask about the maximum number of rules, you already
>have too many. There are ways to create general rules that apply to many
>cases--i.e., address ranges, port ranges, etc.
>--
>Tim Evans                       |    5 Chestnut Court
>tkevans@tkevans.com             |    Owings Mills, MD 21117
>http://www.tkevans.com/         |    443-394-3864
>http://www.come-here.com/News/  |    
>
>
>
>.
>
>  
>

Re: Maximum Number of Chains

[Leonardo Rodrigues Magalhães]

    OK, let's get 4000 users. Are their IPs in a known range or these are
internet users ? Are this rules be applied on input/output or they'll be for
forwarding stuff ?

    Are rules always be the same for every IP or rules can change from one
IP to another ? Could you explain us a little better in what context will
this solution be used ?

    Sincerily,
    Leonardo Rodrigues


----- Original Message ----- 
From: "Paul Caritj" <pcaritj@riovia.net>
To: <tkevans@tkevans.com>; <netfilter@lists.netfilter.org>
Sent: Wednesday, September 03, 2003 12:42 PM
Subject: Re: Maximum Number of Chains


> Agreed,
> Heres my situatuation: I need to create rules on the fly for
> (potentially) up to 4000 users. What I need is a way to delete *all* the
> rules for a given ip address without knowing the full contents of the
> rule (only the ip); as you might have guessed, I'm doing this
> programatically.
>
> My current solution is to have one chain for each associated IP. Is
> there a better solution to this problem?
>
> As for memory...I can have as much as I need, if anyone knows how much
> that would be. :)
>
> Tim Evans wrote:
>
> >On Wed, 3 Sep 2003 09:25:51 +1000, George Vieira wrote
> >
> >
> >>How much memory do you have???
> >>
> >>I've added at once stage around 500+ rules in once chain alone, if
> >>that helps you in anyway..
> >>
> >>
> >
> >Seems to me if you have to ask about the maximum number of rules, you
already
> >have too many. There are ways to create general rules that apply to many
> >cases--i.e., address ranges, port ranges, etc.
> >--
> >Tim Evans                       |    5 Chestnut Court
> >tkevans@tkevans.com             |    Owings Mills, MD 21117
> >http://www.tkevans.com/         |    443-394-3864
> >http://www.come-here.com/News/  |
> >
> >
> >
> >.
> >
> >
> >
>
>
>

Re: Maximum Number of Chains

[Jeffrey Laramie]

Hi Paul,

Paul Caritj wrote:

> Agreed,
> Heres my situatuation: I need to create rules on the fly for 
> (potentially) up to 4000 users. What I need is a way to delete *all* 
> the rules for a given ip address without knowing the full contents of 
> the rule (only the ip); as you might have guessed, I'm doing this 
> programatically.
>
> My current solution is to have one chain for each associated IP. Is 
> there a better solution to this problem?

Yikes, isn't processing that many rules for that many clients going to 
have some performance impact? Have you tried a strategy of processing 
the general rules (RELATED,ESTABLISHED -j ACCEPT, etc.) in your main 
filter chain and then dividing the client rules up by subnet? In theory 
that would substantially cut down the number of rules you would need to 
test for any given IP address.

Jeff