From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: iptables script file
Date: Thu, 28 Oct 2004 11:05:35 -0400 [thread overview]
Message-ID: <20041028150535.GA4228@bender.817west.com> (raw)
In-Reply-To: <200410281351.i9SDpdoL058208@jkcpub.iserver.net>
On Thu, Oct 28, 2004 at 09:56:36AM -0400, Deepak Seshadri wrote:
> Hello everybody,
>
> Kenneth: Thank you very much for the reply. I'll look into this option.
>
> Does anybody have any other suggestion? How does everyone load their
> rule-set?
here's the state-of-the-union:
loading rules from a script that issues "iptables -A ..." commands over
& over again is not "efficient." whether this inefficiency is a problem
or not depends on the number of rules being loaded. the firewall i'm
testing with uses an actual ruleset of ~100 rules and takes less than 5
seconds to load:
time ./fw start
real 0m4.632s
user 0m0.300s
sys 0m4.310s
here's an example using a script that loads 1024 rules of the form:
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW \
-s 10.x.y.1/24 -j ACCEPT
(where x and y are incremented via a for loop)
# time ./addrules
real 0m20.855s
user 0m0.410s
sys 0m20.440s
now, let's do an "iptables-save" on those loaded rules, and see how long
an "iptables-restore" takes:
# time iptables-restore 1000rules.save
real 0m1.253s
user 0m0.080s
sys 0m1.130s
all these tests are performed on the same machine:
Linux vmg2 2.4.26-gentoo-r9 #2 Fri Sep 3 07:13:35 EDT 2004 i686 Intel(R)
Pentium(R) M processor 1.70GHz GenuineIntel GNU/Linux
192 MB RAM
so, the upshot is this--if your ruleset is sufficiently large to make
the inefficiency of scripted "iptables" commands a problem--you'll need
to use "iptables-restore" to load your rules. once you get the hang of
it, it really isn't that hard to just edit the "iptables-restore" file
format (even though this isn't "recommended").
hope this helps...
-j
--
Jason Opperisano <opie@817west.com>
next prev parent reply other threads:[~2004-10-28 15:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-25 21:26 iptables script file Deepak Seshadri
2004-10-25 21:28 ` Kenneth Porter
2004-10-28 13:56 ` Deepak Seshadri
2004-10-28 15:05 ` Jason Opperisano [this message]
2004-10-30 21:00 ` Jose Maria Lopez
2004-11-03 17:14 ` Deepak Seshadri
2004-10-28 15:14 ` Michael Gale
-- strict thread matches above, loose matches on Subject: below --
2004-10-31 1:52 Gary Smith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041028150535.GA4228@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox