Performance of iptables-restore on large rule sets

From: Steve Bergman
Date: Fri Jan 28 2005 - 14:11:54 EST

Next message: David Lang: "Re: Patch 4/6 randomize the stack pointer"
Previous message: Lorenzo Hernández García-Hierro: "Re: [PATCH] OpenBSD Networking-related randomization port"
Next in thread: Martin Josefsson: "Re: Performance of iptables-restore on large rule sets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have a large rule set (~53000 rules) that I sometimes load using iptables-restore. (It takes almost an hour.

Googling around tells me that the loop detection code in the kernel is slow with large rule sets. The only thing that seems odd to me is that throughout the entire loading process, iptables-restore is consistently at about 67% user and33% system processor time according to vmstat. If the slowness is in the kernel, shouldn't I be seeing a high and ever increasing amount of "system" time?

Kernel is 2.6.9-1.681_FC3. Iptables is iptables-1.2.11-3.1.FC3.

Thanks for any insights,
Steve Bergman
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Lang: "Re: Patch 4/6 randomize the stack pointer"
Previous message: Lorenzo Hernández García-Hierro: "Re: [PATCH] OpenBSD Networking-related randomization port"
Next in thread: Martin Josefsson: "Re: Performance of iptables-restore on large rule sets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]