Re: iptables very slow after commit784544739a25c30637397ace5489eeb6e15d7d49

From: Harald Welte
Date: Sun Apr 12 2009 - 08:40:32 EST

Next message: Ingo Molnar: "Re: Problem with kvm on -tip"
Previous message: Wu Fengguang: "Re: [PATCH 3/3] readahead: introduce context readahead algorithm"
In reply to: Kyle Moffett: "Re: iptables very slow after commit 784544739a25c30637397ace5489eeb6e15d7d49"
Next in thread: Jan Engelhardt: "Re: iptables very slow after commit784544739a25c30637397ace5489eeb6e15d7d49"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

On Sat, Apr 11, 2009 at 05:54:41PM -0700, david@xxxxxxx wrote:
>> Almost all of the standard firewall tools (such as shorewall, etc) are
>> already using iptables-restore command to load firewall rules,
>> primarily because using separate iptables commands was *already* way
>> too slow. There's also the serious race-condition of doing a firewall
>> restart that way where you only have half your rules loaded for a bit.
>> The "iptables" command is fine for fiddling around with the command
>> line and making minor tweaks, but it simply doesn't cut it for
>> large-scale rules.
>
> what are the userspace level tools that I am supposed to use in place of
> my current process? (which is to have a script that 1. stops traffic, 2.
> executes the iptables commands to create the rules that I want, then 3.
> enables traffic)
>
> iptables-restore only works if you are actually restoring the old set of
> rules. if you need to change the rules that doesn't work.

That's what I implemented as "iptables-restore --noflush" a number of years
ago. It doesn't flush the current uleset and swaps in a new one, but
reads the current rules from kernel, applies any number of changes and swaps
the new ruleset in.

The syntax of iptables-restore is almost identical to iptables commands, you
just specify the table in a different way. So you would just create your
desired changes in that format, and echo that into iptables-restore. If it's
an entire new ruleset, you use no '--noflush' and it does automatic flushing
of all old rules. If your stdin-file contains only incremental changes, you
use --noflush.

In the netfilter project, we knew for many years that the 'swap the entire
table atomically in' is a bad design choice. This is what various developers
have been trying to address at different times, and which finally resulted
in the nftables implementation of Patrick McHardy. So for the mid- to long
term there is a clear design that moves away from that.

But so far, we have to live with the API and its semantics. iptables userspace
has been improved a number of times, and things like iptables-restore with or
without --noflush can be used as an intermediate solution - and have been used
by many systems out there.

--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie

Attachment: signature.asc
Description: Digital signature

Next message: Ingo Molnar: "Re: Problem with kvm on -tip"
Previous message: Wu Fengguang: "Re: [PATCH 3/3] readahead: introduce context readahead algorithm"
In reply to: Kyle Moffett: "Re: iptables very slow after commit 784544739a25c30637397ace5489eeb6e15d7d49"
Next in thread: Jan Engelhardt: "Re: iptables very slow after commit784544739a25c30637397ace5489eeb6e15d7d49"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]