Hello, On Thursday, 2008 May 15 at 14:21:23 +0500, Anton wrote: > Regarding the performance of the lookup of the iptables > rules for match inside the kernel, is there any plans to > improve the behaviour or no plans in this area yet? Nf hipac is an alternative: http://www.hipac.org/ > For example on the transit gateway I have ~500 rules which > mark the packet, according to the client source IP - with > unique mark per client IP - so I have 500 unique marks > there, and so cannot use IPSET, and only IPTABLES - but > it's known that iptables insert/lookup is very slow on huge > rulesets (atleat with iptables 1.3.x) and slowness > progresses approximatelly exponentially on growth of rules > number. > > Do I miss anything? If you plan to use mark for QOS or routing why not simply use native classifier of tc or "ip rule" ? One other thing to look at may be : http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-IPMARK BR, -- Eric Leblond INL: http://www.inl.fr/ NuFW: http://www.nufw.org/
Attachment:
signature.asc
Description: Digital signature
