On Tue, 22 Jun 2010, Jan Engelhardt wrote: > > On Tuesday 2010-06-22 07:41, Nishit Shah wrote: > >> On Monday 2010-06-21 17:18, krunal patel wrote: > >>>>> iptables -A FORWARD -m set ! --set testip src > >>>>> iptables -A FORWARD -m set ! --set testip src > >>>>> iptables -A FORWARD -m set --set testip src > >> > >> No question that reevaluating the same thing over and over > >> increases runtime... > > > >Well, that is not the case. With 2.6.18.8 latency is same as 6 msecs. > > I think what you see could be noise. > > See commit 848484c08cb4ad161074262994410387585259ff in > xtables-addons. There I needed 3000 ping packets (sent with ping -f) > *and* a linear search of 10000 ranges to get above 2000 msec overhead > for a single rule. The impact of one more rule should be negligible. Something is bad there, but we know too little on the setup, the configuration: what kind of architecture, hardware you run the testing? What do you get when you replace the rules with similar ones but with pure "-s src" matching, i.e. without calling ipset? And it'd be good if you'd test a recent kernel as well. 2.6.27 is almost two years old. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
