Whats faster? multiple rules vs. multiport match

Whats faster? multiple rules vs. multiport match

[Maximilian Wilhelm]

Hi!

While hacking on alff [42] I asked myself what would be more wise to
use for matching multiple ports on multiple servers/ips

 a) on rule for every ip/port combination
 b) two rules for every server, one for tcp and one for udp
    (assumend I only have to match for udp and tcp stuff).

(The whole scenario is the following:
 I generate rules to regulate access to different services.
 Every service is transalted into an own chain.
 Therein I generate a matrix of host running this service and port
 related to it - like a))

As there are some services with ~ 20 ports (think: Windows(r) DC)
there might be some advantage in choosing the faster way.

Is there any "benchmark" which might enligthen me which way to use?
Any comments?

Thanks in advance
Ciao
Max
-- 
	Follow the white penguin.

Re: Whats faster? multiple rules vs. multiport match

[Jan Engelhardt]

On Feb 15 2007 22:37, Maximilian Wilhelm wrote:
>Subject: Whats faster? multiple rules vs. multiport match

Of course a multiport match. Not that I have any hard proof for that, but
it's a feeling.

To match N ports with N rules, you will need to call N times into
xt_tcpudp of cost T.

To match N ports with N/20 rules using a multiport spec, you will need to
call N/20 times into xt_tcpudp of cost T and N/20 times into xt_multiport
of cost M.

For

  T*N < T*N/20 + M*N/20,  with N->Infinity

to hold,

In[9]:= Reduce[t*n < t*n/20+m*n/20, t]

                                             m                    m
Out[9]= m \[Element] Reals && ((n < 0 && t > --) || (n > 0 && t < --))
                                             19                   19

we need T < M/19, or interpreted, xt_tcpudp needs to run through about 19
times less instruction/lines than xt_multiport, which seems unrealistic,
since xt_multiport's match function has (by eye) roughly the same number
of LoCs as xt_tcpudp.

Of course this is just theory, there might be a bug in my thinking, or
it's a close tie, and only a benchmark - I am not aware of any yet - can
prove it.


Jan
-- 
ft: http://freshmeat.net/p/chaostables/

Re: Whats faster? multiple rules vs. multiport match

[Pascal Hambourg]

Hello,

Jan Engelhardt a écrit :
> 
> To match N ports with N/20 rules using a multiport spec  [...]

Note that the multiport match does not support more than 15 ports (and a 
port range counts as two ports). ;-)

Re: Whats faster? multiple rules vs. multiport match

[Jan Engelhardt]

Hi,


> Jan Engelhardt a écrit :
>> 
>> To match N ports with N/20 rules using a multiport spec  [...]
>
> Note that the multiport match does not support more than 15 ports (and a port
> range counts as two ports). ;-)

Oh right. Then substitute 20 by 15 and 19 by 14.


Jan
-- 
ft: http://freshmeat.net/p/chaostables/