* Whats faster? multiple rules vs. multiport match
@ 2007-02-15 21:37 Maximilian Wilhelm
2007-02-17 13:55 ` Jan Engelhardt
0 siblings, 1 reply; 4+ messages in thread
From: Maximilian Wilhelm @ 2007-02-15 21:37 UTC (permalink / raw)
To: netfilter
Hi!
While hacking on alff [42] I asked myself what would be more wise to
use for matching multiple ports on multiple servers/ips
a) on rule for every ip/port combination
b) two rules for every server, one for tcp and one for udp
(assumend I only have to match for udp and tcp stuff).
(The whole scenario is the following:
I generate rules to regulate access to different services.
Every service is transalted into an own chain.
Therein I generate a matrix of host running this service and port
related to it - like a))
As there are some services with ~ 20 ports (think: Windows(r) DC)
there might be some advantage in choosing the faster way.
Is there any "benchmark" which might enligthen me which way to use?
Any comments?
Thanks in advance
Ciao
Max
--
Follow the white penguin.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Whats faster? multiple rules vs. multiport match
2007-02-15 21:37 Whats faster? multiple rules vs. multiport match Maximilian Wilhelm
@ 2007-02-17 13:55 ` Jan Engelhardt
2007-02-17 14:24 ` Pascal Hambourg
0 siblings, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2007-02-17 13:55 UTC (permalink / raw)
To: Maximilian Wilhelm; +Cc: netfilter
On Feb 15 2007 22:37, Maximilian Wilhelm wrote:
>Subject: Whats faster? multiple rules vs. multiport match
Of course a multiport match. Not that I have any hard proof for that, but
it's a feeling.
To match N ports with N rules, you will need to call N times into
xt_tcpudp of cost T.
To match N ports with N/20 rules using a multiport spec, you will need to
call N/20 times into xt_tcpudp of cost T and N/20 times into xt_multiport
of cost M.
For
T*N < T*N/20 + M*N/20, with N->Infinity
to hold,
In[9]:= Reduce[t*n < t*n/20+m*n/20, t]
m m
Out[9]= m \[Element] Reals && ((n < 0 && t > --) || (n > 0 && t < --))
19 19
we need T < M/19, or interpreted, xt_tcpudp needs to run through about 19
times less instruction/lines than xt_multiport, which seems unrealistic,
since xt_multiport's match function has (by eye) roughly the same number
of LoCs as xt_tcpudp.
Of course this is just theory, there might be a bug in my thinking, or
it's a close tie, and only a benchmark - I am not aware of any yet - can
prove it.
Jan
--
ft: http://freshmeat.net/p/chaostables/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-02-17 15:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-15 21:37 Whats faster? multiple rules vs. multiport match Maximilian Wilhelm
2007-02-17 13:55 ` Jan Engelhardt
2007-02-17 14:24 ` Pascal Hambourg
2007-02-17 15:33 ` Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox