Re: Loding rules - Roberto Nibali

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Roberto Nibali <ratz@tac.ch>
To: nedco@unacs.bg
Cc: netfilter@lists.netfilter.org
Subject: Re: Loding rules
Date: Mon, 16 Dec 2002 11:47:55 +0100	[thread overview]
Message-ID: <3DFDAF5B.1070800@tac.ch> (raw)
In-Reply-To: 3df77ff9.7a14.0@unacs.bg

> Hi,
>  How to load fast about 20000 rules in iptables.
>  If some document will be help , please let me know  :)

Netfilter is not designed for that. Please use the nf-hipac[1] drop-in 
replacement. NF-hipac will do the filtering and rule organisation for you and 
for the rest (NAT, mangle) you can still use netfilter. Also you should check if 
you can't logically draw a binary tree with your rules which would then result 
in faster matching lookup (at least with netfilter).

And no: iptables-save/restore is _not_ an option for dynamically changing rules!

If you have that many rules you certainly have a logic or kind of a matrix 
behind that. Try to use some algebraic transformations (linear translation, 
Laplace (define network flows), Gauss, TSP, ...) to optimize the ruleset. I have 
done this and successfully reduced the number of rules.

[1] http://www.hipac.org

Regards,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc

next prev parent reply	other threads:[~2002-12-16 10:47 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-11 18:12 Loding rules nedco
2002-12-16 10:47 ` Roberto Nibali [this message]
2002-12-16 19:42 ` Joel Newkirk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3DFDAF5B.1070800@tac.ch \
    --to=ratz@tac.ch \
    --cc=nedco@unacs.bg \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox