On Monday 2010-06-21 17:18, krunal patel wrote: >>> iptables -A FORWARD -m set ! --set testip src >>> iptables -A FORWARD -m set ! --set testip src >>> iptables -A FORWARD -m set --set testip src >> >> You do not measure ipset definitely. Because there is no target in the >> rules, all of them are evaluated one after another, regardless of the >> previous ones: netfilter just increases the packet/byte counters of the >> matching rules, but continues by processing the next rule(s). > >No, we are measuring only ipset. What we are suspecting is, as number >of ipset matches increases in packet path latency is increasing. > >1000 msecs is just by adding 1 more rule. 3 rules took it to around >3000 to 4000 msecs. No question that reevaluating the same thing over and over increases runtime... -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
