Slow manipulation of netfilter rules
Posted
by Ole Martin Eide
on Server Fault
See other posts from Server Fault
or by Ole Martin Eide
Published on 2010-05-05T19:32:10Z
Indexed on
2010/05/05
19:38 UTC
Read the original article
Hit count: 242
I have a script maintaining gre tunnels and firewall rules using the "ip" and "iptables" tools. Setting up hundreds of tunnels, and adresses per interface runs just fine. Takes less than 0.1 second per interface, however when I get around to do the firewall rules everything slows down spending >0.5 per insertion.
Why is it running so slow? What can I do to improve the speed?
It seems like I could try ipset instead, but I really feel there is something wrong with the kernel or something. The interesting thing is that the first 10 rules runs fast, then it slows down..
mybox(root) foo# iptables -V
iptables v1.3.5
mybox(root) foo# uname -a
Linux foo 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
mybox(root) foo# cat test.sh
#!/bin/sh
for n in {1..100}
do
/sbin/iptables -A OUTPUT -s ${n} -j ACCEPT
/sbin/iptables -D OUTPUT -s ${n} -j ACCEPT
done
mybox(root) foo# time ./test.sh
real 1m38.839s
user 0m0.100s
sys 1m38.724s
Appriciate any help. Cheers!
© Server Fault or respective owner