Re: adding rules - slow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2007-07-27 at 23:30 +0200, Július Bemš wrote:
> Hi,
> 
> When I need to add som rules (in my case 100) to some chain it takes various
> time, depending on the number of existing rules in the chain. So when I add
> 100 rules to empty chain, it takes 1.8sec. If tehere is 1000 rules int the
> chain, it takes 4.5sec and if there is 10000 rules it takes 21sec. 
> 
> My problem is, that i need to add this rules to chain which contains 20000
> rules in short time. I think, that the way of adding rules into chain is
> very innefective. 
> 
> Could someone tell me how the adding works internally? What data structures
> are used? Because I need solve this and find the way how to add new rules
> quickly.
> 
> Thanks for replies
> 
> 
We face the same problem on the ISCS project
(http://iscs.sourceforge.net).  There, do to micro-perimeter network
security, we frequently generate thousands or tens of thousands of rules
with the click of a mouse.

We handle it by adding rules via iptables-restore rather than iptables.
The load time difference is remarkable.  You write your rules into files
with very similar syntax to iptables and then direct them into
iptables-restore, e.g., 

iptables-restore < /etc/PEP/rules.txt

or, if you do not want to overwrite existing rules,

iptables-restore -n < /etc/PEP/runtimerules.txt

Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx

Financially sustainable open source development
http://www.opensourcedevel.com




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux