Netfilter is not designed for that. Please use the nf-hipac[1] drop-in replacement. NF-hipac will do the filtering and rule organisation for you and for the rest (NAT, mangle) you can still use netfilter. Also you should check if you can't logically draw a binary tree with your rules which would then result in faster matching lookup (at least with netfilter).Hi, How to load fast about 20000 rules in iptables. If some document will be help , please let me know :)
And no: iptables-save/restore is _not_ an option for dynamically changing rules!
If you have that many rules you certainly have a logic or kind of a matrix behind that. Try to use some algebraic transformations (linear translation, Laplace (define network flows), Gauss, TSP, ...) to optimize the ruleset. I have done this and successfully reduced the number of rules.
[1] http://www.hipac.org
Regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
