On 05/13/08 01:59, Eli Hadad wrote:
1. Is there a limit to the number of rules I can add to specific
chain? I need to have around 20000 rules.
Not that I'm aware of.
Do you need to have 20,000 rules to be processed linearly or could they
be broken out in to user-defined chains that are jumped to in a tree
like structure to make the number of tests smaller (than 20,000)?
2. What is the performance implications of using this large number of
rules? Is there any numbers people can share.
Well, any time you use an unoptimized list to compare against things
will not be as good as they can be.
However I think if you intelligently design your (user defined) chains
and use IP Sets where you can, things should be fine.
I find it very unlikely that you need a list of rules to be processed
linearly one after the other looking for a match. In that list there
should be a way to sub-divide and jump to smaller user defined chains to
make the next decision and eventually (after a few chains and decisions
there in) get to the final rule *MUCH* faster than processing each and
every single rule for each and every single packet.
3. I also saw the HIPAC project which claim to have much better
performance. Is there any work done to integrate same type of
functionality into iptables?
I have yet to see any evidence one way or the other as to whether or not
stock NetFilter and / or HIPAC are better. (Though I have not been
looking either.)
Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
