* iptables and performance
[not found] <1210661080.5829.225.camel@localhost.localdomain>
@ 2008-05-13 6:59 ` Eli Hadad
2008-05-13 15:29 ` Matt Zagrabelny
2008-05-13 16:24 ` Grant Taylor
0 siblings, 2 replies; 4+ messages in thread
From: Eli Hadad @ 2008-05-13 6:59 UTC (permalink / raw)
To: netfilter
Hi all,
I am new to iptables and have few question I hope you can help with:
1. Is there a limit to the number of rules I can add to specific chain?
I need to have around 20000 rules.
2. What is the performance implications of using this large number of
rules? Is there any numbers people can share.
3. I also saw the HIPAC project which claim to have much better
performance. Is there any work done to integrate same type of
functionality into iptables?
Thanks in advance,
Eli
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables and performance
2008-05-13 6:59 ` iptables and performance Eli Hadad
@ 2008-05-13 15:29 ` Matt Zagrabelny
2008-05-13 20:03 ` Eli Hadad
2008-05-13 16:24 ` Grant Taylor
1 sibling, 1 reply; 4+ messages in thread
From: Matt Zagrabelny @ 2008-05-13 15:29 UTC (permalink / raw)
To: elhadad; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1062 bytes --]
On Tue, 2008-05-13 at 09:59 +0300, Eli Hadad wrote:
> Hi all,
>
> I am new to iptables and have few question I hope you can help with:
> 1. Is there a limit to the number of rules I can add to specific chain?
> I need to have around 20000 rules.
> 2. What is the performance implications of using this large number of
> rules? Is there any numbers people can share.
> 3. I also saw the HIPAC project which claim to have much better
> performance. Is there any work done to integrate same type of
> functionality into iptables?
Google: hipac ipset
Look at the first pdf link. It talks about performance and netfilter. It
also addresses HIPAC and ipset.
I would say that you want to look at ipset.
Cheers,
--
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2
He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables and performance
2008-05-13 6:59 ` iptables and performance Eli Hadad
2008-05-13 15:29 ` Matt Zagrabelny
@ 2008-05-13 16:24 ` Grant Taylor
1 sibling, 0 replies; 4+ messages in thread
From: Grant Taylor @ 2008-05-13 16:24 UTC (permalink / raw)
To: Mail List - Netfilter
On 05/13/08 01:59, Eli Hadad wrote:
> 1. Is there a limit to the number of rules I can add to specific
> chain? I need to have around 20000 rules.
Not that I'm aware of.
Do you need to have 20,000 rules to be processed linearly or could they
be broken out in to user-defined chains that are jumped to in a tree
like structure to make the number of tests smaller (than 20,000)?
> 2. What is the performance implications of using this large number of
> rules? Is there any numbers people can share.
Well, any time you use an unoptimized list to compare against things
will not be as good as they can be.
However I think if you intelligently design your (user defined) chains
and use IP Sets where you can, things should be fine.
I find it very unlikely that you need a list of rules to be processed
linearly one after the other looking for a match. In that list there
should be a way to sub-divide and jump to smaller user defined chains to
make the next decision and eventually (after a few chains and decisions
there in) get to the final rule *MUCH* faster than processing each and
every single rule for each and every single packet.
> 3. I also saw the HIPAC project which claim to have much better
> performance. Is there any work done to integrate same type of
> functionality into iptables?
I have yet to see any evidence one way or the other as to whether or not
stock NetFilter and / or HIPAC are better. (Though I have not been
looking either.)
Grant. . . .
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables and performance
2008-05-13 15:29 ` Matt Zagrabelny
@ 2008-05-13 20:03 ` Eli Hadad
0 siblings, 0 replies; 4+ messages in thread
From: Eli Hadad @ 2008-05-13 20:03 UTC (permalink / raw)
To: Matt Zagrabelny; +Cc: netfilter
Hi Matt,
I guess this is what I was looking for.
Thanks again,
Eli
On Tue, 2008-05-13 at 10:29 -0500, Matt Zagrabelny wrote:
> On Tue, 2008-05-13 at 09:59 +0300, Eli Hadad wrote:
> > Hi all,
> >
> > I am new to iptables and have few question I hope you can help with:
> > 1. Is there a limit to the number of rules I can add to specific chain?
> > I need to have around 20000 rules.
> > 2. What is the performance implications of using this large number of
> > rules? Is there any numbers people can share.
> > 3. I also saw the HIPAC project which claim to have much better
> > performance. Is there any work done to integrate same type of
> > functionality into iptables?
>
> Google: hipac ipset
>
> Look at the first pdf link. It talks about performance and netfilter. It
> also addresses HIPAC and ipset.
>
> I would say that you want to look at ipset.
>
> Cheers,
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-05-13 20:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1210661080.5829.225.camel@localhost.localdomain>
2008-05-13 6:59 ` iptables and performance Eli Hadad
2008-05-13 15:29 ` Matt Zagrabelny
2008-05-13 20:03 ` Eli Hadad
2008-05-13 16:24 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox