Gerald Galster wrote:
Hi all,Hmm. Exactly what this site says will happen: http://www.hipac.org/ (See the performance tests)
Perhaps you can give me some hints on a performance problem that I'm
currently experiencing with iptables.
The situation is as follows:
I have a firewall currently running kernel 2.4.20, Celeron 1 GHz and 512 MB of RAM
that should do traffic accounting based on single IP addresses. I thought it would be more
efficient to use iptables than writing a standalone application using pcap or the like.
I need to add filtering rules like
/sbin/iptables -A FORWARD -o eth0 -s ip_address/32
/sbin/iptables -A FORWARD -i eth0 -d ip_address/32
for about six class-C networks (this means about 3000 iptables rules).
The average throughput is around 3 Mbits / second.
After I've added those rules, the latency in ping times to a machine behind
the firewall increases from 30 ms to over 200 ms ...
Now my question is if I can speed those things up ... do you have any ideas?
Thanks in advance.
Regards,
Gerald
As far as I know, you will not be able to overcome the limitations that iptables has with large rulesets. You can minimise the effect with carefull design , but once you have that many rules, iptables inevitably grinds to a halt.
nf-hipac does not currently have byte and packet counters unfortunately. It has occured to me many times that the most likely situation in which large rulesets are needed is when per IP accounting is being done, yet nf-hipac does not yet have counters..
Cheers,
Michael
