>That is purely noise. You need a lot more rules (10000 and up) to >measure an effect. I've been testing, list with 1000 rules, list with 10000 rules, list with 50000 rules. Searching for minimum time, in 100 tests, etc. 1 MIN ( 1000 single): 0.206000 us 1 MIN (1000 array): 0.264000 us 1 MIN (10000 single): 0.081400 us 1 MIN (10000 array): 0.156900 us I couldn't restore 50000 array command (memory issue) on Iptables 1.4.4 But it can be restored on 1.2.9 (don't have right now results for that) Br 2011/6/9 Jan Engelhardt <jengelh@xxxxxxxxxx>: > On Thursday 2011-06-09 16:07, Tihomir Katic wrote: >> >>Also, I have been doing some tests, and in config.txt you will see: >>## Optimal size of multiport - port array >>port_array_size_optimal = 10 >> >>It means, it will merge 2 rules for example --dport 1:5 and --dport >>21:25 into -m multiport --dports 1,2,3,4,5,21,22,23,24,25 > > This should be -m multiport --dports 1:5,21:25 > >>But, based on my recent tests, it should be >>port_array_size_optimal = 15 > > Yes, multiport can hold 15 "things". > >>rule with --dport 1:5 takes e.g. ~0.2 us >>and rule with 15 elements in multiport array lasts ~0.4us, so it is >>pretty much the same > > That is purely noise. You need a lot more rules (10000 and up) to > measure an effect. > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
