Slow manipulation of netfilter rules

Posted by Ole Martin Eide on Server Fault See other posts from Server Fault or by Ole Martin Eide
Published on 2010-05-05T19:32:10Z Indexed on 2010/05/05 19:38 UTC
Read the original article Hit count: 242

Filed under:

iptables

|

kernel

I have a script maintaining gre tunnels and firewall rules using the "ip" and "iptables" tools. Setting up hundreds of tunnels, and adresses per interface runs just fine. Takes less than 0.1 second per interface, however when I get around to do the firewall rules everything slows down spending >0.5 per insertion.

Why is it running so slow? What can I do to improve the speed?

It seems like I could try ipset instead, but I really feel there is something wrong with the kernel or something. The interesting thing is that the first 10 rules runs fast, then it slows down..

mybox(root) foo# iptables -V
iptables v1.3.5
mybox(root) foo# uname -a 
Linux foo 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
mybox(root) foo# cat test.sh
#!/bin/sh

for n in {1..100}
do
  /sbin/iptables -A OUTPUT -s ${n} -j ACCEPT
  /sbin/iptables -D OUTPUT -s ${n} -j ACCEPT
done
mybox(root) foo# time ./test.sh

real    1m38.839s
user    0m0.100s
sys     1m38.724s

Appriciate any help. Cheers!

© Server Fault or respective owner

Related posts about iptables

Sometimes this script fails to update the iptables

as seen on Server Fault - Search for 'Server Fault'
It does not happen often, but sometimes after running the below script, checking the iptables with service iptables status shows that they weren't updated and the script doesn't output any error. The iptables is structured as look-up tree (long repeated sections snipped): #!/bin/sh iptables -t… >>> More
My current iptable configuration doesn't work [on hold]

as seen on Server Fault - Search for 'Server Fault'
sudo chkconfig iptables off /etc/init.d/iptables on ### Clear/flush iptables sudo iptables -F sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT ### Allow SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables… >>> More
L2TP iptables port forward

as seen on Server Fault - Search for 'Server Fault'
Hi all, I'm setting up port forwarding for an L2TP VPN connection to the local Windows 2003 VPN server. The router is a simpel Debian machine with iptables. The VPN server works perfect. But I cannot log in from the WAN. I'm missing something. The VPN server is using a pre-shared key (L2TP) and… >>> More
iptables -P FORWARD DROP makes port forwarding slow

as seen on Server Fault - Search for 'Server Fault'
I have three computers, linked like this: box1 (ubuntu) box2 router & gateway (debian) box3 (opensuse) [10.0.1.1] ---- [10.0.1.18,10.0.2.18,10.0.3.18] ---- [10.0.3.15] | box4, www [10.0.2.1] Among other… >>> More
IPtables AWS EC2 NAT/Reverse NAT - For Reverse Proxy style setup but with IPtables

as seen on Server Fault - Search for 'Server Fault'
I was thinking initially needing to do a reverse proxy or something so I could get some SSL/TLS traffic look like it is being terminated at a server and IP address in the AWS cloud, and then that traffic is forwarded onto our actual web servers that aren't in the cloud... I've not done much iptables… >>> More

Related posts about kernel

Can't install kernel-uek-headers for currently running kernel

as seen on Server Fault - Search for 'Server Fault'
I have just created a VM in VMWare and installed a minimal install of Oracle Enterprise Linux 6.3. # cat /etc/oracle-release Oracle Linux Server release 6.3 It is running with the UEK kernel. # uname -r 2.6.39-200.24.1.el6uek.x86_64 When I try and install VMWare Tools, I get the following error… >>> More
Why does my laptop resume immediately after suspend?

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I seem to be having some problem with suspend mode. Every time I try to suspend my laptop, it just locks the screen. Or maybe it successfully suspends just to resume only an instant after. What could cause such a behaviour? I'm running 32-bit Ubuntu 12.04 with the 3.2.0-25 kernel on a HP dv5-1178er… >>> More
Fedora error log file

as seen on Server Fault - Search for 'Server Fault'
I am running a java application using this wrapper service yajsw. The problem it just stopped without any error in its logs file. So I was wondering will there be any system log file which will indicate the cause of it going down? Partial of the log file. Apr 6 00:12:20 localhost kernel: imklog… >>> More
External USB drive is failing

as seen on Super User - Search for 'Super User'
I have an external USB 2.0 drive WD My Book Mirror Edition, running in RAID 1 (mirroring) mode. A while ago the hard drive started to fail: it stops responding (directories are not listed returning an error after a big timeout). Sometimes it works for weeks before a failure, sometimes – few hours… >>> More
Problem with RAID5 (mdadm) - disk detached

as seen on Server Fault - Search for 'Server Fault'
Having these lines in /var/log/syslog Apr 18 16:53:05 Server kernel: [4487878.816036] ata4: EH in SWNCQ mode,QC:qc_active 0x1 sactive 0x1 Apr 18 16:53:05 Server kernel: [4487878.816058] ata4: SWNCQ:qc_active 0x1 defer_bits 0x0 last_issue_tag 0x0 Apr 18 16:53:05 Server kernel: [4487878… >>> More