Tuning point for Linux soft firewall ACL matching

First of all. Request no more framed netfilter. Although it has some inherent performance loss, but please do not equate iptables and netfilter, assuming you want to catch the culprit, please say iptables, instead of saying netfilter!
Iptables really is a weak explosion!

Its ipt_do_table is actually one of the five main culprits, assuming that the rule exceeds 7000, then it is the first (the other culprit is the Nf_conntrack function, they are also netfilter hooks). The reason for iptables inefficiency is that its ACL rules are not preprocessed. The direct use of the human configuration of the way and order to match the packet, and the Linux protocol stack in the middle of the table is not converted to a forwarding post and directly let the packet run the longest prefix match! It's not Linux's fault, it's not NetFilter's fault, it's your fault.

Why don't you try to use or change the NF-HIPAC?
       ACL element matching can be divided into "with" and "or", generally feel. is performed within the same rule as the operation, or the operation represents a different rule, such as the following rule:
Iptables-a forward-d $ip 1-p tcp-j drop
iptables-a forward-d $ip 2-p udp-j drop
, ip1 and TCP as well as IP2 and UDP are operations, and Two rules are or operate. Assuming we group, we will draw the conclusion that the same group will be serial, and the different groups can operate in parallel.

       Assuming that two rules are preprocessed and again reversed, can we group again by matching elements without a rule? There is a reason for doing so. Because the number of matching elements is fixed, the number of rules is not fixed. We must be able to run high-speed lookup algorithms between the massive elements instead of sequentially traversing the matching algorithms, so the massive elements must not be serialized as the same set of elements. In the ACL matching process, traversal and high-speed lookups are required (as mentioned earlier.) Same group serial-can only traverse. Heterogeneous parallelism-can run arbitrary algorithms), but it must be remembered that the rules are not divided into a group according to the rules. Instead, the matching element is the grouping datum. You know, the way people understand and the way computers are handled is totally different, even the opposite.
       Most firewall products (Cisco. does not say, xxwrt all have similar patches. Maybe? Well, it seems to be true. Though I have not witnessed it. Just a guess ...) All of the ACL rule chains that are treated with manual knocks are preprocessed, which in fact is a nf-hipac way, and I've written several related articles before. The Linux iptables does not have any preprocessing, this is the reason why it is inefficient, but this inefficiency can not be attributed to Linux or netfilter body, please understand.
       this weekend is a bit real and fake. The typhoon is looking forward to not coming, wiping! I was in a few days on the typhoon landing too much hope, although the meteorological observatory has been noisy ... These people are all based on historical data for big data analysis, it is not clear westerlies. The relationship between the typhoon, the Vice-high, and the latitude of Shanghai. I've analyzed this a few years ago. Just did not publish, the account of the Meteorological Forum lost, and the level is not high, in IT forum to make this and a little lofty, just can heart empty self sigh. Yesterday Shanghai Jiading rain is not big. Moderate rain level bar, I did not have an umbrella to go out for a while inspiration, the result came back to quarrel with his wife ... Alas, the good weather that I like so much is ruined. The rain was slightly bigger in the afternoon, and the evening was able to coax the wife to go out to dinner. The downtown is a quiet place. Good one don't queue for supper at weekends. I got soaked in the rain and bought a puff in the restaurant. See two foreigners holding an umbrella but not open but rain. Instantly there is a sense of finding an organization, with the good, why follow the other people or the way of the public to go AH. I like rainy days, so when it rains I will not umbrella, suppose someone seriously said why see me umbrella, I will tell him. I like the rain. But my phone doesn't like ....

Tuning point for Linux soft firewall ACL matching