From: Pablo Neira Ayuso <pablo@netfilter.org>
To: John Bourke <john.bourke@mobileinternet.com>
Cc: 'Michele Petrazzo - Unipex srl' <michele.petrazzo@unipex.it>,
netfilter@vger.kernel.org
Subject: Re: Iptables execution time
Date: Fri, 17 Oct 2008 13:53:19 +0200 [thread overview]
Message-ID: <48F87CAF.9000507@netfilter.org> (raw)
In-Reply-To: <002301c92fe5$3234ff00$969efd00$@bourke@mobileinternet.com>
John Bourke wrote:
> Folks,
>
> I ran some tests tonight. I took our usual firewall rule count of about
> 5000 rules and added another 25,000. At every 100 added I measured the time
> taken to add the last of the 100.
>
> After the first 100 rules, a rule was added in 29ms. After 25,000 rules
> were added last the rule was added in 169ms. The total number of rules at
> the end was 29716.
>
> On another system, the 100th rule added in 40ms, the 25,000th rule added in
> 90ms, and the total rule count at the end was 32227.
>
> The rule add was a simple
>
> iptables -I FORWARS -s 10.0.a.b -j ACCEPT
>
> Where a was from 1 to 250 and b was from 1 to 100. So I was not doing
> anything more complex.
>
> Even at 40ms, I can only load 25 rules a second. As I have a dynamic
> firewall which changes every second, and each of my users has about 25
> rules, I can only handle one user addition or removal a second. I would
> like to do 10 per second, 250 rules per second.
>
> Are there better ways to do this, iptables-restore, ipset ?
Use iptables-restore -n and pipe the rules updates for dynamic rule
addition and deletion.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
prev parent reply other threads:[~2008-10-17 11:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-16 17:29 Iptables execution time Michele Petrazzo - Unipex srl
2008-10-16 17:48 ` Pablo Neira Ayuso
2008-10-16 18:17 ` Michele Petrazzo - Unipex srl
[not found] ` <002301c92fe5$3234ff00$969efd00$@bourke@mobileinternet.com>
2008-10-17 11:53 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48F87CAF.9000507@netfilter.org \
--to=pablo@netfilter.org \
--cc=john.bourke@mobileinternet.com \
--cc=michele.petrazzo@unipex.it \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox