On Tue, 22 Jun 2010, Jozsef Kadlecsik wrote: > On Tue, 22 Jun 2010, Jan Engelhardt wrote: > > > > > On Tuesday 2010-06-22 07:41, Nishit Shah wrote: > > >> On Monday 2010-06-21 17:18, krunal patel wrote: > > >>>>> iptables -A FORWARD -m set ! --set testip src > > >>>>> iptables -A FORWARD -m set ! --set testip src > > >>>>> iptables -A FORWARD -m set --set testip src > > >> > > >> No question that reevaluating the same thing over and over > > >> increases runtime... > > > > > >Well, that is not the case. With 2.6.18.8 latency is same as 6 msecs. > > > > I think what you see could be noise. > > > > See commit 848484c08cb4ad161074262994410387585259ff in > > xtables-addons. There I needed 3000 ping packets (sent with ping -f) > > *and* a linear search of 10000 ranges to get above 2000 msec overhead > > for a single rule. > > The impact of one more rule should be negligible. Something is bad there, > but we know too little on the setup, the configuration: what kind of > architecture, hardware you run the testing? What do you get when you > replace the rules with similar ones but with pure "-s src" matching, i.e. > without calling ipset? And it'd be good if you'd test a recent kernel as > well. 2.6.27 is almost two years old. I meant by "you" the OP, that is Krunal. :-) Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
