long ruleset perfomance issue

Jozsef Kadlecsik kadlec at blackhole.kfki.hu
Tue Apr 5 08:46:54 CEST 2005


On Mon, 4 Apr 2005, Grant Taylor wrote:

> This will make is such that your packets don't have to traverse as many
> rules in the FORWARD chain directly.  In fact there would only be 18
> conditional JUMP to sub chain rules in the main FORWARD chain.  In this
> situation there would be 255 entries in the sub chains.  You end up with
> a pseudo tree structure like this
>
> FORWARD
>    |
>    <sbunet 1.1.1.0/24 -j FORWARD_1_1_1_0
>       |
>       <ip 1.1.1.1 -j MARK>
>       <ip 1.1.1.2 -j MARK>
>       <ip 1.1.1.3 -j MARK>
>    <sbunet 1.1.2.0/24 -j FORWARD_1_1_2_0
>       |
>       <ip 1.1.2.1 -j MARK>
>       <ip 1.1.2.2 -j MARK>
>       <ip 1.1.2.3 -j MARK>
>    <sbunet 1.1.3.0/24 -j FORWARD_1_1_3_0
>       |
>       <ip 1.1.3.1 -j MARK>
>       <ip 1.1.3.2 -j MARK>
>       <ip 1.1.3.3 -j MARK>

If the possible mark values are small, then ipset is a much more efficient
solution for the problem. You can even build up similar tree structure
with bindings in ipset. Actually, one can collapse the corresponding
iptables rules to the number of distinct mark values.

Best regards,
Jozsef
-
E-mail  : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary



More information about the netfilter mailing list