On Mon, Jun 21, 2010 at 10:16 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > > On Monday 2010-06-21 17:18, krunal patel wrote: >>>> iptables -A FORWARD -m set ! --set testip src >>>> iptables -A FORWARD -m set ! --set testip src >>>> iptables -A FORWARD -m set --set testip src >>> >>> You do not measure ipset definitely. Because there is no target in the >>> rules, all of them are evaluated one after another, regardless of the >>> previous ones: netfilter just increases the packet/byte counters of the >>> matching rules, but continues by processing the next rule(s). >> >>No, we are measuring only ipset. What we are suspecting is, as number >>of ipset matches increases in packet path latency is increasing. >> >>1000 msecs is just by adding 1 more rule. 3 rules took it to around >>3000 to 4000 msecs. > > No question that reevaluating the same thing over and over > increases runtime... Well, that is not the case. With 2.6.18.8 latency is same as 6 msecs. i.e. it is not increasing with number of ipset rules. Also, if our traffic load is around 1 to 1.4 Gbps, even in 2.6.27.45 we are not experiencing the latency with increasing the number of rules. Rgds, Nishit Shah. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
