Performance of iptables-restore on large rule sets
From: Steve Bergman
Date: Fri Jan 28 2005 - 14:11:54 EST
I have a large rule set (~53000 rules) that I sometimes load using
iptables-restore. (It takes almost an hour.
Googling around tells me that the loop detection code in the kernel is
slow with large rule sets. The only thing that seems odd to me is that
throughout the entire loading process, iptables-restore is consistently
at about 67% user and33% system processor time according to vmstat. If
the slowness is in the kernel, shouldn't I be seeing a high and ever
increasing amount of "system" time?
Kernel is 2.6.9-1.681_FC3. Iptables is iptables-1.2.11-3.1.FC3.
Thanks for any insights,
Steve Bergman
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/