Fwd: iptables extremely slow

Robert Olsson robban@robtex.com
Thu, 16 Aug 2001 19:00:15 +0200 

I've got some more information.
on my testmachine i ran strace on iptables and found where it spends all its time:

execve("/usr/local/sbin/iptables", ["iptables", "-A", "protd", "-d", "10.1.1.100", "-p", "tcp", "--dport", "110", "-j", "okd"], [/* 22 vars */]) = 0
.
.
mprotect(0x40150000, 1476, PROT_NONE)   = 0 <0.000019>
old_mmap(0x40150000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40150000 <0.000024>
close(4)                                = 0 <0.000015>
brk(0x807c000)                          = 0x807c000 <0.000019>
setsockopt(3, SOL_IP, 0x40 /* IP_??? */, [1953261926], 67584) = 0 <13.342718>
setsockopt(3, SOL_IP, 0x41 /* IP_??? */, [1953261926], 6772) = 0 <0.000243>
_exit(0)                                = ?


which means it spent 13 seconds in setsockopt:
probably here I guess: 

libiptc/libiptc.c:

        if (setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
                       sizeof(*repl) + (*handle)->entries.size) < 0) {
                free(repl->counters);
                free(repl);
                free(newcounters);
                return 0;
        }

---- now what? what is going on in the kernel?

Best Regards
Robban


At 17:42 2001-08-16 +0200, Robert Olsson wrote:
>Thank you very much for your answer.
>Very good suggestions, but they don't help me.
>There are (of course) only numerical IP-addresses, and I need
>at least as many rules as there are machines, multiplied by
>average number of open ports. Default rule is to deny everything.
>
>Sure, I can minimize rules by creating subchains like 'http-smtp-and-some-other-services'
>and use them as target for some IP:s, thereby saving a couple of
>rules per machine.
>
>Today a customer called and wanted me to open port 21 and because I didn't want to
>run the whole script while I had him on the phone, I ran directly:
>
>iptables -I FORWARD -d 123.123.123.123 -p tcp --dport 21 -j ACCEPT
>
>and it was the most annoying minute in my life, repeatedly telling
>him that 'it will be open right away, just a moment now.. could you
>please try again in a little while... erhh... very soon now...'
>and then, finally the command finished.
>(Appending doesn't go any faster either)
>
>I would like someone to tell me to do something like
>"echo 1000 > /proc/sys/net/maximumrulesbeforegettingextremelyslow " :)
>
>Best Regards
>Robban
>
>
>At 14:53 2001-08-16 +0800, Anthony Liu wrote:
>>On Tue, Aug 14, 2001 at 05:56:22PM +0200, Robert Olsson wrote:
>> 
>>> I'm trying to track down why my iptables-script is slow (takes minutes),
>>> and found something very interesting. 
>>> Running iptables v1.1.1 on kernel 2.4.2, this is basically what I do,
>>> without getting into details I assume isn't interesting:
>>
>>Try to use numerical ip address instead.  It is possible to filter
>>entirely on interface and with no ip address as they are not reliable
>>anyway (spoofing).
>>
>>Another thing is I am amazed with people that "need" hundreds of rules
>>(compounding with non-numerical ip resolve become a total disaster).
>>
>>Adopt a deny policy, redesign the chains in a clearly defined
>>data-flow diagram, it will reduce the overhead a lot.
>>
>>Any open services, forward them to a DMZ.
>>
>>Hope this helps.