Re: Which of these 2 rules will consume more CPU? Please guide.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Am 01.12.22 um 12:32 schrieb Amish:
Hello everyone,

I have a hash:net IP set (with name say inblock) which has 2500 network blocks.

It is taken from http://rules.emergingthreatspro.com/fwrules/emerging-Block-IPs.txt

But let us assume that it can go up to 3000-5000 entries in future.

Now I have following rule right at the top.

# iptables -t mangle -I PREROUTING 1 -m set --match-set inblock src -j DROP

This rule will process each and every packet that is coming in and match it against the IP set.

So if I have a 200mbps line and then at its peak, above rule will go through data equal to 200mbits per second.

I am curious to know if I change the above line to:

# iptables -t mangle -I PREROUTING 1 -m conntrack --ctstate NEW,INVALID -m set --match-set inblock src -j DROP

normally you start with ACCEPT "ctstate RELATED,ESTABLISHED" as first rule because that hits 99% of all packets and skips any other rules

than you DROP "ctstate INVALID" no matter what

and between that DROP-rules and your ACCEPT-Rules you place additional DROP-Rules

No matter INBOUND or PREROUTING

so your "--match-set inblock src -j DROP" can only hit NEW and valid packets at all, and since you DROP initial packets from these sources they never can hit the ctstate-rules





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux