[ale] iptables limits?
James P. Kinney III
jkinney at localnetsolutions.com
Thu Jun 2 21:27:50 EDT 2005
On Thu, 2005-06-02 at 20:09 -0400, Christopher Fowler wrote:
> On Thu, 2005-06-02 at 19:01, James P. Kinney III wrote:
> > multi-threaded
> > process. I do know that performance can suffer if rule ordering is poor
> > and every packet is forced through every table.
>
> These filters are done in kernel land is the filtering code designed to
> be threaded?
Not threaded in the same sense of a userland thread. I guess that was a
poor choice of terms.
The iptables process can handle more than one packet at a time. Even
though the process is very fast (I think it is just a sequence of bit
mask arithmetic) more than one packet can be in the iptables process at
a time. However, only one packet can access a rule at a time (I think. I
don't read c source well enough to be sure). I seem to recall a blurb on
the iptables (it may have been ipchains) mailing list about a
performance issue that was cleared up by adding an effective "just
continue" step in one table. Apparently the machine handled two main
network data types and one packet stream would get to the same at the
same time as the other major packet stream often enough to slow things
down enough to be noticed.
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
--
James P. Kinney III \Changing the mobile computing world/
CEO & Director of Engineering \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Ale
mailing list