Re: Performance of iptables-restore on large rule sets

From: Harald Welte
Date: Mon Jan 31 2005 - 18:10:05 EST

Next message: Roman Zippel: "Re: [PATCH] relayfs redux, part 2"
Previous message: Peter Williams: "Re: [patch, 2.6.11-rc2] sched: RLIMIT_RT_CPU_RATIO feature"
In reply to: Martin Josefsson: "Re: Performance of iptables-restore on large rule sets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 28, 2005 at 12:56:30PM -0600, Steve Bergman wrote:
> I have a large rule set (~53000 rules) that I sometimes load using
> iptables-restore. (It takes almost an hour.

That's really slow. I've seen multiple minutes, but an hour? What kind
of system is this? How does the ruleset look like? Maybe some dns
resolvals are timing out?

> Googling around tells me that the loop detection code in the kernel is
> slow with large rule sets.

That's wrong. What used to be slow is libiptc. iptables-1.2.11 should
actually already be significantly faster than all prior versions.

Please try the current pre-1.3.0 snapshots from
ftp://ftp.netfilter.org/pub/iptables/snapshot

Please report back if they solve your performance issue.

> Steve Bergman
--
- Harald Welte <laforge@xxxxxxxxxxxx> http://www.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)

Attachment: signature.asc
Description: Digital signature

Next message: Roman Zippel: "Re: [PATCH] relayfs redux, part 2"
Previous message: Peter Williams: "Re: [patch, 2.6.11-rc2] sched: RLIMIT_RT_CPU_RATIO feature"
In reply to: Martin Josefsson: "Re: Performance of iptables-restore on large rule sets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]