IPSet Log and drop.

Taylor, Grant gtaylor at riverviewtech.net
Thu Apr 21 21:40:35 CEST 2005


> ipset set types are really fast. It's hard to say, which is faster:
> the rules
> 
> 
>>iptables -A testhash -m set --set testhash src -j LOG
>>iptables -A testhash -m set --set testhash src -j DROP
> 
> or
> 
> iptables -N logdrop
> iptables -A logdrop -j LOG
> iptables -A logdrop -j DROP
> iptables -A testhash -m set --set testhash src -j logdrop
> 
> In the first case there is an additional set lookup, in the second case
> there are four [six]) additional "wildcard" builtin matches (src, dst,
> inface, outface, [proto, frag]) and one jump.
> 
> Probably the latter one is a teeny bit faster with a few cycles: hash key
> computations are just more expensive operations than simple matches.

One additional advantage of using the latter method is that if you ever decide that you want to do limit matching on the LOG target (to prevent filling the logs for duplicate connect attempts) you could easily add additional entries to the logdrop chain and not have to introduce any additional hash processing as you would if you used the first method.  Think of jumping to a new chain as sort of like a subroutine in your favorite programming language.



Grant. . . .



More information about the netfilter mailing list