Re: loading huge number of rules in iptables (blocklist)

From: "H.S." <hs.samix@xxxxxxxxx>
Date: Wed, 21 Mar 2007 12:09:03 -0400

Ron Johnson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/21/07 10:52, H.S. wrote:
H.S. wrote:

Now, currently, there are around 151,000 ipranges listed in level1.gz
to block. So the above function's loop goes over these many times
inserting the rules for each range. And this is taking huge amount of
time: in over 50 minutes, only around 12% rules have been loaded on my
router running Etch (Pentium III, 449MHz, 380 MB RAM).

How can I speed this up? Advice?

thanks,
->HS

Anyone ... ?

That's a whole lotta rules. I'm not surprised that iptables doesn't
scale that well.

Yes. The experiment shows that this is not going well. I was wondering if there are any alternatives. I currently have around 80,000 rules now inserted, and the process is still continuing more than 17 hours later! However, my internet connection seems to be holding up without any noticeable performance cut so far.

->HS

--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: loading huge number of rules in iptables (blocklist)
  - From: Greg Folkert
- Re: loading huge number of rules in iptables (blocklist)
  - From: Andrew Sackville-West
- Re: loading huge number of rules in iptables (blocklist)
  - From: Albert Dengg

References:
- loading huge number of rules in iptables (blocklist)
  - From: H.S.
- Re: loading huge number of rules in iptables (blocklist)
  - From: H.S.
- Re: loading huge number of rules in iptables (blocklist)
  - From: Ron Johnson

Prev by Date: Re: X problem after upgrade
Next by Date: Re: how to switch between different network configurations?
Previous by thread: Re: loading huge number of rules in iptables (blocklist)
Next by thread: Re: loading huge number of rules in iptables (blocklist)
Index(es):
- Date
- Thread

Relevant Pages

Re: loading huge number of rules in iptables (blocklist)
... Hash: SHA1 ... So the above function's loop goes over these many times ... inserting the rules for each range. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
(Debian-User)
Re: [PATCH 1/1] (v3) SYSVIPC - Fix the ipc structures initialization
... a simple testcase is concurrently running an infinite loop on ... So idr_get_newis inserting a pointer into the ... This patch moves the spin_lock_initbefore the call to ipc_addid. ... return err; ...
(Linux-Kernel)
Re: [PATCH 1/1] (v3) SYSVIPC - Fix the ipc structures initialization
... a simple testcase is concurrently running an infinite loop on ... So idr_get_newis inserting a pointer into the ... This patch moves the spin_lock_initbefore the call to ipc_addid. ... return err; ...
(Linux-Kernel)
RE: SQL insert record return value?
... > I have a loop that includes inserting a record to a datasbase. ... See http://www.QBuilt.com for all your database needs. ...
(microsoft.public.access.modulesdaovba)
Re: [PATCH] Linux Kernel Markers 0.5 for Linux 2.6.17 (with probe management)
... The register filling doesnt even have to be function-calling-convention compliant - that makes the symbolic probe almost zero-impact to register allocation/scheduling, the only thing it should ensure is that the parameters that are annotated to be available in register, stack or memory _somewhere_. ... Do you mean using the asm to make sure gcc puts a reference to a variable into the DWARF info, or some other way of encoding the value locations? ... If the mark is in a loop, and gcc decides to unroll the loop, then you'll probably only get a mark in one iteration of the loop. ... That way, if the asminserting them gets duplicated, you'll get duplicate records in the marker section. ...
(Linux-Kernel)