Hi there, On 3/6/2008 10:06 AM, Alberto Díez wrote: > What is the netfilter preferred way to have a large set of rules and > still do packet filtering? I don't know if there's a "netfilter preferred way" and I don't know what you mean by "a large set of rules". Our iptables rules typically number about 200. We use ipsets for about 40,000 rules in about 30 sets, on fairly modest hardware. People seem to run into performance issues with anything on the order of a thousand iptables rules - obviously it will depend on the rules and how they interact, and on the hardware, the processor load, etc. -- 73, Ged. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
