* iptables and performance [not found] <1210661080.5829.225.camel@localhost.localdomain> @ 2008-05-13 6:59 ` Eli Hadad 2008-05-13 15:29 ` Matt Zagrabelny 2008-05-13 16:24 ` Grant Taylor 0 siblings, 2 replies; 4+ messages in thread From: Eli Hadad @ 2008-05-13 6:59 UTC (permalink / raw) To: netfilter Hi all, I am new to iptables and have few question I hope you can help with: 1. Is there a limit to the number of rules I can add to specific chain? I need to have around 20000 rules. 2. What is the performance implications of using this large number of rules? Is there any numbers people can share. 3. I also saw the HIPAC project which claim to have much better performance. Is there any work done to integrate same type of functionality into iptables? Thanks in advance, Eli ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables and performance 2008-05-13 6:59 ` iptables and performance Eli Hadad @ 2008-05-13 15:29 ` Matt Zagrabelny 2008-05-13 20:03 ` Eli Hadad 2008-05-13 16:24 ` Grant Taylor 1 sibling, 1 reply; 4+ messages in thread From: Matt Zagrabelny @ 2008-05-13 15:29 UTC (permalink / raw) To: elhadad; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 1062 bytes --] On Tue, 2008-05-13 at 09:59 +0300, Eli Hadad wrote: > Hi all, > > I am new to iptables and have few question I hope you can help with: > 1. Is there a limit to the number of rules I can add to specific chain? > I need to have around 20000 rules. > 2. What is the performance implications of using this large number of > rules? Is there any numbers people can share. > 3. I also saw the HIPAC project which claim to have much better > performance. Is there any work done to integrate same type of > functionality into iptables? Google: hipac ipset Look at the first pdf link. It talks about performance and netfilter. It also addresses HIPAC and ipset. I would say that you want to look at ipset. Cheers, -- Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844 University of Minnesota Duluth Information Technology Systems & Services PGP key 1024D/84E22DA2 2005-11-07 Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2 He is not a fool who gives up what he cannot keep to gain what he cannot lose. -Jim Elliot [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables and performance 2008-05-13 15:29 ` Matt Zagrabelny @ 2008-05-13 20:03 ` Eli Hadad 0 siblings, 0 replies; 4+ messages in thread From: Eli Hadad @ 2008-05-13 20:03 UTC (permalink / raw) To: Matt Zagrabelny; +Cc: netfilter Hi Matt, I guess this is what I was looking for. Thanks again, Eli On Tue, 2008-05-13 at 10:29 -0500, Matt Zagrabelny wrote: > On Tue, 2008-05-13 at 09:59 +0300, Eli Hadad wrote: > > Hi all, > > > > I am new to iptables and have few question I hope you can help with: > > 1. Is there a limit to the number of rules I can add to specific chain? > > I need to have around 20000 rules. > > 2. What is the performance implications of using this large number of > > rules? Is there any numbers people can share. > > 3. I also saw the HIPAC project which claim to have much better > > performance. Is there any work done to integrate same type of > > functionality into iptables? > > Google: hipac ipset > > Look at the first pdf link. It talks about performance and netfilter. It > also addresses HIPAC and ipset. > > I would say that you want to look at ipset. > > Cheers, > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables and performance 2008-05-13 6:59 ` iptables and performance Eli Hadad 2008-05-13 15:29 ` Matt Zagrabelny @ 2008-05-13 16:24 ` Grant Taylor 1 sibling, 0 replies; 4+ messages in thread From: Grant Taylor @ 2008-05-13 16:24 UTC (permalink / raw) To: Mail List - Netfilter On 05/13/08 01:59, Eli Hadad wrote: > 1. Is there a limit to the number of rules I can add to specific > chain? I need to have around 20000 rules. Not that I'm aware of. Do you need to have 20,000 rules to be processed linearly or could they be broken out in to user-defined chains that are jumped to in a tree like structure to make the number of tests smaller (than 20,000)? > 2. What is the performance implications of using this large number of > rules? Is there any numbers people can share. Well, any time you use an unoptimized list to compare against things will not be as good as they can be. However I think if you intelligently design your (user defined) chains and use IP Sets where you can, things should be fine. I find it very unlikely that you need a list of rules to be processed linearly one after the other looking for a match. In that list there should be a way to sub-divide and jump to smaller user defined chains to make the next decision and eventually (after a few chains and decisions there in) get to the final rule *MUCH* faster than processing each and every single rule for each and every single packet. > 3. I also saw the HIPAC project which claim to have much better > performance. Is there any work done to integrate same type of > functionality into iptables? I have yet to see any evidence one way or the other as to whether or not stock NetFilter and / or HIPAC are better. (Though I have not been looking either.) Grant. . . . ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-05-13 20:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1210661080.5829.225.camel@localhost.localdomain>
2008-05-13 6:59 ` iptables and performance Eli Hadad
2008-05-13 15:29 ` Matt Zagrabelny
2008-05-13 20:03 ` Eli Hadad
2008-05-13 16:24 ` Grant Taylor
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox