First, ask for no more framing netfilter!. Although it has some inherent performance loss, but please do not equate iptables and netfilter, if you want to catch the culprit, please speak directly iptables, and not to say netfilter!
Iptables really is a weak explosion! Its ipt_do_table is one of the five main culprits, if the rule exceeds 7000, then it is the first (the other culprit is the Nf_conntrack function, they are also netfilter hook). Iptables inefficient reason is that its ACL rules are not preprocessed, directly using the human configuration of the way and order to match the packet, and the Linux protocol stack in the middle of the table is not converted to a forwarding post and directly let the packet to perform the longest prefix match! It's not Linux's fault, it's not NetFilter's fault, it's your fault. Why don't you try to use or modify Nf-hipac?
The element matching of an ACL can be divided into "with" and "or", which is generally considered to be done within the same rule as the operation, or the operation represents a different rule, such as the following rule:
iptables-a forward-d $ip 1-p tcp-j DROP
Iptables-a forward-d $ip 2-p udp-j DROP
where ip1 and TCP as well as IP2 and UDP are operations, and two rules are or operate, if we group, we will draw the same group to serial, different groups can be parallel operation of the conclusion.
If the two rules are preprocessed and re-grouped, can we re-group them by matching elements without the rules? This is justified, because the number of matching elements is fixed, and the number of rules is not fixed, we must be able to execute a fast lookup algorithm between the massive elements rather than sequentially traverse the matching algorithm, so we must not allow the mass elements to be serialized as the same group of elements. In the ACL matching process, traversal and quick lookups are required (as mentioned earlier, the same set of serial-only traversal, heterogeneous parallel-executable arbitrary algorithm), but it must be remembered that you do not follow the rules to separate the rules into a group, but to match the elements as a grouping datum. You know, the way people understand and the way computers are handled is completely different, even the opposite.
Most of the firewall products (Cisco, Huawei's temporary don't say, xxwrt all have similar patches, perhaps? Well, it seems to be true, although I have not witnessed, just guess ...) All treat the manual to knock in the ACL rule chain to carry on the preprocessing, this actually is also the Nf-hipac way, I have written several related articles before. The Linux iptables does not have any preprocessing, this is the reason why it is inefficient, but this inefficiency can not be attributed to Linux or netfilter body, please be aware.
This weekend is a bit real and fake! The typhoon is looking forward to not coming, wiping! I was in a few days on the typhoon landing too big hope, although the meteorological observatory has been noisy ... They are all based on historical data for big data analysis, do not understand westerlies, Typhoon, Deputy High, Shanghai, the relationship between the latitude, I analyzed this a few years ago, just did not publish, the account of the Meteorological Forum lost, and the level is not high, in IT forum to make this and a little lofty, can only heart empty self sigh. Yesterday Shanghai Jiading Rain is not big, moderate level bar, I did not have an umbrella out for a while inspiration, the results come back to quarrel with his wife ... Alas, so I like the good weather unexpectedly blew up, the afternoon rain slightly bigger some, evening also can, coax Good Wife go out to eat, downtown good a quiet, weekend dinner point good one don't queue! I myself in the rain out of the restaurant to buy puffs, see two foreigners holding an umbrella but not open but rain, an instant there is a feeling of finding the organization, with the good, why follow the other people or the way of the public go AH. I like rainy days, so rainy day I will not umbrella, if someone seriously said why see me umbrella, I will tell him, I like rain, but my cell phone does not like ....
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Tuning point for Linux soft firewall ACL matching
