How Expensive?

How Expensive?

[Jonathan Tripathy]

Hi Everyone,

I wish to use iptables on a host that will be hosting a large number of 
VMs for customers. IPtables will do some basic "managed firewalling" for 
them.

My question is, how expensive are having lots of custom chains? My idea 
is to create one child chain per VM, with the idea to cut down the 
amount of rules evaluated (i.e. a parent chain would only jump to a 
child chain if the dest IP matches) - does this sound like a good idea?

Thanks

Re: How Expensive?

[Payam Chychi]

it's much less and actually recommended than running all rules in default/less chains as each pkt must traverse the entire chain to be processed

Regards,
--
Payam Tarverdyan Chychi
Network Engineer

Sent from my iPhone

On 2010-07-27, at 5:23 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:

> Hi Everyone,
> 
> I wish to use iptables on a host that will be hosting a large number of VMs for customers. IPtables will do some basic "managed firewalling" for them.
> 
> My question is, how expensive are having lots of custom chains? My idea is to create one child chain per VM, with the idea to cut down the amount of rules evaluated (i.e. a parent chain would only jump to a child chain if the dest IP matches) - does this sound like a good idea?
> 
> Thanks
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How Expensive?

[Jan Engelhardt]

On Wednesday 2010-07-28 03:17, Payam Chychi wrote:

>it's much less and actually recommended than running all rules in 
>default/less chains as each pkt must traverse the entire chain to be 
>processed

Packets need not traverse an entire chain! All of -j ACCEPT, -j DROP,
-j RETURN and -g xxx cause an early exit from the current chain in one 
way or another.

Re: How Expensive?

[Payam Chychi]

On 10-07-27 11:12 PM, Jan Engelhardt wrote:
> On Wednesday 2010-07-28 03:17, Payam Chychi wrote:
>
>    
>> it's much less and actually recommended than running all rules in
>> default/less chains as each pkt must traverse the entire chain to be
>> processed
>>      
> Packets need not traverse an entire chain! All of -j ACCEPT, -j DROP,
> -j RETURN and -g xxx cause an early exit from the current chain in one
> way or another.
>    
a packet must traverse an entire chain unless it meets a given condition 
and as such its better to have more specific chains to jump packet 
through rather than having to wait until the end of a chain, ie. 1000 
line chain.

ps, my prevoius reply was suppose to say "its much less overhead to use 
more chains and actually NOT recommended to run all rules in 
default/less chains", sorry for the confusion.