>> This should be -m multiport --dports 1:5,21:25 Yes, you are right about this, but I didn't know Iptables can work like this (have range in "array" list), I noticed it recently, so this in plan to add http://valeria.zesoi.fer.hr/~tkatic/index.php?appl=fea Plans for future development: - Allow multiport parameter to contain arrays together with single numbers 2011/6/9 Tihomir Katic <tihomir.katic@xxxxxxxxx>: >>That is purely noise. You need a lot more rules (10000 and up) to >>measure an effect. > > I've been testing, list with 1000 rules, list with 10000 rules, list > with 50000 rules. > Searching for minimum time, in 100 tests, etc. > > 1 MIN ( 1000 single): 0.206000 us > 1 MIN (1000 array): 0.264000 us > > 1 MIN (10000 single): 0.081400 us > 1 MIN (10000 array): 0.156900 us > > I couldn't restore 50000 array command (memory issue) on Iptables 1.4.4 > > But it can be restored on 1.2.9 (don't have right now results for that) > > Br > > > 2011/6/9 Jan Engelhardt <jengelh@xxxxxxxxxx>: >> On Thursday 2011-06-09 16:07, Tihomir Katic wrote: >>> >>>Also, I have been doing some tests, and in config.txt you will see: >>>## Optimal size of multiport - port array >>>port_array_size_optimal = 10 >>> >>>It means, it will merge 2 rules for example --dport 1:5 and --dport >>>21:25 into -m multiport --dports 1,2,3,4,5,21,22,23,24,25 >> >> This should be -m multiport --dports 1:5,21:25 >> >>>But, based on my recent tests, it should be >>>port_array_size_optimal = 15 >> >> Yes, multiport can hold 15 "things". >> >>>rule with --dport 1:5 takes e.g. ~0.2 us >>>and rule with 15 elements in multiport array lasts ~0.4us, so it is >>>pretty much the same >> >> That is purely noise. You need a lot more rules (10000 and up) to >> measure an effect. >> > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
