On Fri, 2007-07-27 at 23:30 +0200, Július Bemš wrote: > Hi, > > When I need to add som rules (in my case 100) to some chain it takes various > time, depending on the number of existing rules in the chain. So when I add > 100 rules to empty chain, it takes 1.8sec. If tehere is 1000 rules int the > chain, it takes 4.5sec and if there is 10000 rules it takes 21sec. > > My problem is, that i need to add this rules to chain which contains 20000 > rules in short time. I think, that the way of adding rules into chain is > very innefective. > > Could someone tell me how the adding works internally? What data structures > are used? Because I need solve this and find the way how to add new rules > quickly. > > Thanks for replies > > We face the same problem on the ISCS project (http://iscs.sourceforge.net). There, do to micro-perimeter network security, we frequently generate thousands or tens of thousands of rules with the click of a mouse. We handle it by adding rules via iptables-restore rather than iptables. The load time difference is remarkable. You write your rules into files with very similar syntax to iptables and then direct them into iptables-restore, e.g., iptables-restore < /etc/PEP/rules.txt or, if you do not want to overwrite existing rules, iptables-restore -n < /etc/PEP/runtimerules.txt Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com
