MAC Hash

MAC Hash

[Jason Cosby]

All,

I have the following running on our server:

for m in xx:xx:xx:xx:xx:xx...about 75 MACs
do
  iptables -t mangle -A PREROUTING -i eth1 -m mac --mac-source $m -j ACCEPT
done

iptables -t mangle -A PREROUTING -i eth1 DROP

iptables -t mangle -A PREROUTING -i eth1 -m iprange ! --src-range \
   192.168.1.1-192.168.1.74 -j DROP

and encountered a noticable slowdown when I incorporated the above. Can anyone offer suggestions as to how to speed this up? I know that hash tables are out there, but I am not clear on their use. 

Thanks,
Jason

Re: MAC Hash

[Brian Austin - Standardknit]

-----Original Message -----
 From: Jason Cosby
 Sent: 26/09/2008 8:18 AM
> All,
>
> I have the following running on our server:
>
> for m in xx:xx:xx:xx:xx:xx...about 75 MACs
> do
>   iptables -t mangle -A PREROUTING -i eth1 -m mac --mac-source $m -j ACCEPT
> done
>
> iptables -t mangle -A PREROUTING -i eth1 DROP
>
> iptables -t mangle -A PREROUTING -i eth1 -m iprange ! --src-range \
>    192.168.1.1-192.168.1.74 -j DROP
>
> and encountered a noticable slowdown when I incorporated the above. Can anyone offer suggestions as to how to speed this up? I know that hash tables are out there, but I am not clear on their use. 
>
> Thanks,
> Jason
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   
I would suggest the problem is your chain of 75 rules...

You may want to make some stubby user chains and branch the tests out, 
so packets go thru less checks.

ie 7 user chains, with 10 checks in each

so the worst case for chain traversal would be around 17 rules 
traversed, not 75, with an average of 8 rules, not 37....

and put your busiest mac addresses at the top of the checks if you can.

regards

b

MAC Hash

[Jason Cosby]

As far as I can figure out, the following:

iptables -N mymap macipmap
for ip in 192.168.1.`seq 6 75`; do
  for mac in xx:xx:xx:xx:xx....75 MACs; do 
    iptables -A mymap $ip:$mac
    iptables -T mymap $ip -j ACCEPT
  done
done

should yield the same result and be faster than: 

for mac in xx:xx:xx:xx:xx....75 MACs; do
  iptables -t mangle -A PREROUTING -i eth1 -m mac --mac-source \
${mac} -j ACCEPT
done
iptables -t mangle -A PREROUTING -i eth1 DROP
iptables -t mangle -A PREROUTING -i eth1 -m iprange ! --src-range \
192.168.1.1-192.168.1.74 -j DROP

but I am not sure of this. The drawback of using the hash is that the MACs must match the IPs in dhcpd.conf, but this can be dealt with. Is there no -m flag before macipmap? Can someone with experience weigh in on this, both concerning speed and correctness? ipset doesn't seem to be what I need here. 

Thanks,
Jason

Re: MAC Hash

[Gáspár Lajos]

What about this?


iptables -t mangle -N PRE_BR1_MAC
cat /etc/firewall/mac_br1 | sort | grep '+' | while read line
 do
 iptables -t mangle -A PRE_BR1_MAC -j CONNMARK -m mac --mac-source `echo 
$line | awk '{print $1}'` --set-mark $MARK_KNOWN_MAC
 done
iptables -t mangle -A PRE_BR1_MAC -j RETURN -m connmark --mark 
$MARK_KNOWN_MAC

# UNKNOWN MAC !!!
iptables -A PRE_BR1_MAC -j LOG --log-prefix 'IPT: ***MAC BR1*** ' 
--log-level debug
iptables -A PRE_BR1_MAC -j DROP

# Only on BR1 !!!
iptables -t mangle -N PRE_BR1

# CHECK MAC
iptables -t mangle -A PRE_BR1 -j PRE_BR1_MAC -m connmark ! --mark 
$MARK_KNOWN_MAC
iptables -t mangle -A PRE_BR1 -j ACCEPT

iptables -t mangle -A PREROUTING -j PRE_BR1 -i br1



Swifty

Brian Austin - Standardknit írta:
>
> -----Original Message -----
> From: Jason Cosby
> Sent: 26/09/2008 8:18 AM
>> All,
>>
>> I have the following running on our server:
>>
>> for m in xx:xx:xx:xx:xx:xx...about 75 MACs
>> do
>>   iptables -t mangle -A PREROUTING -i eth1 -m mac --mac-source $m -j 
>> ACCEPT
>> done
>>
>> iptables -t mangle -A PREROUTING -i eth1 DROP
>>
>> iptables -t mangle -A PREROUTING -i eth1 -m iprange ! --src-range \
>>    192.168.1.1-192.168.1.74 -j DROP
>>
>> and encountered a noticable slowdown when I incorporated the above. 
>> Can anyone offer suggestions as to how to speed this up? I know that 
>> hash tables are out there, but I am not clear on their use.
>> Thanks,
>> Jason
>> -- 
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>   
> I would suggest the problem is your chain of 75 rules...
>
> You may want to make some stubby user chains and branch the tests out, 
> so packets go thru less checks.
>
> ie 7 user chains, with 10 checks in each
>
> so the worst case for chain traversal would be around 17 rules 
> traversed, not 75, with an average of 8 rules, not 37....
>
> and put your busiest mac addresses at the top of the checks if you can.
>
> regards
>
> b
>
>
>
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>