On Thursday 2011-06-09 16:23, Tihomir Katic wrote: >>That is purely noise. You need a lot more rules (10000 and up) to >>measure an effect. > >I've been testing, list with 1000 rules, list with 10000 rules, list >with 50000 rules. >Searching for minimum time, in 100 tests, etc. > >1 MIN ( 1000 single): 0.206000 us >1 MIN (1000 array): 0.264000 us > >1 MIN (10000 single): 0.081400 us >1 MIN (10000 array): 0.156900 us It seems you are not executing all rules. How else could 10k rules be faster than 1k? You must not use any -j. What you need is something like: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m multiport --dport 1:5,20:25 -A INPUT -p tcp -m multiport --dport 1:5,20:25 -A INPUT -p tcp -m multiport --dport 1:5,20:25 -A INPUT -p tcp -m multiport --dport 1:5,20:25 -A INPUT -p tcp -m multiport --dport 1:5,20:25 -A INPUT -p tcp -m multiport --dport 1:5,20:25 -A INPUT -p tcp -m multiport --dport 1:5,20:25 -A INPUT -p tcp -m multiport --dport 1:5,20:25 COMMIT # Completed on Thu Jun 9 16:33:15 2011 (of course, replicating this to 1000 rules), and then sending yourself some packet and measure the RTT. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
