Optimization of Linux soft firewall ACL matching: linux Firewall acl matching
First, the request should not be framed by Netfilter! Although it has some inherent performance loss, please do not equate iptables with Netfilter. If you want to catch the culprit, please say iptables directly, rather than Netfilter!
Iptables is really weak! Its ipt_do_table is one of the five major culprit. If the rule exceeds 7000, it is the first (other culprit is the nf_conntrack function, which is also the HOOK of Netfilter ). The reason iptables is inefficient is that its ACL rules are not pre-processed, and the way and sequence configured by humans are used to match packets one by one, in the Linux protocol stack, the route table is not converted into a forwarding table, and the maximum prefix matching is directly performed for the data packets! This is not a Linux error, nor a Netfilter error, but your error. Why don't you try to use or modify nf-HiPAC?
ACL element matching can be divided into "and" and "or". It is generally considered that the operation is performed in the same rule, and the operation or operation represents a different rule, such as the following rule:
Iptables-a forward-d $ ip1-p tcp-j DROP
Iptables-a forward-d $ ip2-p udp-j DROP
Among them, ip1 and tcp, ip2 and udp are and operations, while the two rules are or operations. If we group them, we will get that the same group needs to be serialized, conclusions about parallel operations for different groups.
If we pre-process the two rules and re-reverse grouping, can we regroup them based on matching elements instead of rules? This is justified because the number of matching elements is fixed, while the number of rules is not fixed, we must execute fast search algorithms between massive elements instead of sequential traversal matching algorithms. Therefore, massive elements cannot be serialized as the same group of elements. In the process of ACL matching, both traversal and quick search are required (as mentioned earlier, same-group serial-only traversal, parallel-any algorithm can be executed ), however, you must remember not to divide rules into a group according to rules, but to use matching elements as the group benchmark. You must know that human understanding is totally different from computer processing, or even the opposite.
Most Firewall Products (Cisco and Huawei do not mention that XXWRT has similar patches, maybe? Well, it seems to be true. Although I didn't know each other, I just guessed it ...) all the ACL Rule chains that are manually typed are pre-processed. This is actually a method of nf-HiPAC. I have written several related articles before. Linux iptables does not have any preprocessing, which is the cause of its inefficiency. However, this inefficiency cannot be attributed to Linux or Netfilter.
This weekend is a little really fake! The typhoon looked forward to it and never again! As early as a few days ago, I reported too much hope for Typhoon login, although the meteorological stations have been clamoring for a long time... these groups of people perform big data analysis based on historical data. They do not understand the relationship between the west wind belt, typhoon, Deputy height, and the latitude of Shanghai. I have analyzed this in the past few years, but I have not published it, the account of the meteorological forum has been lost, and the level is not high. IT is a little high in IT Forum, so I can only sigh. Yesterday, the rain in Jiading district of Shanghai was not big. It was moderate. I didn't take an umbrella for a while and I came back to quarrel with my wife... alas, the good weather that I like is ruined, and the rain is a little bigger in the afternoon. It's okay in the evening, so my wife can go out for dinner together. It's a quiet downtown, and there's no queue for a weekend dinner! I went out of the hotel to buy a PUF in heavy rain. I saw the two foreigners holding an umbrella but they didn't open it, but it rained. In an instant, I felt like I could find the organization, why follow the path of others or the masses. I like rainy days, so I don't need to have an umbrella. If someone really says why I saw my umbrella, I will tell him that I like it, but my mobile phone doesn't like it ....
Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.