Whats faster? multiple rules vs. multiport match

To:	netfilter@lists.netfilter.org
Subject:	Whats faster? multiple rules vs. multiport match
From:	Maximilian Wilhelm <max@rfc2324.org>
Date:	Thu, 15 Feb 2007 22:37:29 +0100
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Sender:	netfilter-bounces@lists.netfilter.org
User-agent:	Mutt/1.5.9i

To:

netfilter@lists.netfilter.org

Subject:

Whats faster? multiple rules vs. multiport match

From:

Maximilian Wilhelm <max@rfc2324.org>

Date:

Thu, 15 Feb 2007 22:37:29 +0100

Delivered-to:

sp-com-lists@consult.net

Delivered-to:

netfilter-list1@securepoint.com

List-archive:

</pipermail/netfilter>

List-help:

<mailto:netfilter-request@lists.netfilter.org?subject=help>

List-id:

General discussion and user questions <netfilter.lists.netfilter.org>

List-post:

<mailto:netfilter@lists.netfilter.org>

List-subscribe:

<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>

List-unsubscribe:

<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>

Sender:

netfilter-bounces@lists.netfilter.org

User-agent:

Mutt/1.5.9i

Hi!

While hacking on alff [42] I asked myself what would be more wise to
use for matching multiple ports on multiple servers/ips

 a) on rule for every ip/port combination
 b) two rules for every server, one for tcp and one for udp
    (assumend I only have to match for udp and tcp stuff).

(The whole scenario is the following:
 I generate rules to regulate access to different services.
 Every service is transalted into an own chain.
 Therein I generate a matrix of host running this service and port
 related to it - like a))

As there are some services with ~ 20 ports (think: Windows(r) DC)
there might be some advantage in choosing the faster way.

Is there any "benchmark" which might enligthen me which way to use?
Any comments?

Thanks in advance
Ciao
Max
-- 
        Follow the white penguin.

<Prev in Thread]	Current Thread	[Next in Thread>
Whats faster? multiple rules vs. multiport match, Maximilian Wilhelm <= Re: Whats faster? multiple rules vs. multiport match, Jan Engelhardt Re: Whats faster? multiple rules vs. multiport match, Pascal Hambourg Re: Whats faster? multiple rules vs. multiport match, Jan Engelhardt

Previous by Date:	iptables/nat and out of window packets, Pedro Abreu
Next by Date:	creating artificial latency, Abdul-Wahid Paterson
Previous by Thread:	iptables/nat and out of window packets, Pedro Abreu
Next by Thread:	Re: Whats faster? multiple rules vs. multiport match, Jan Engelhardt
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

iptables/nat and out of window packets, Pedro Abreu

Next by Date:

creating artificial latency, Abdul-Wahid Paterson

Previous by Thread:

iptables/nat and out of window packets, Pedro Abreu

Next by Thread:

Re: Whats faster? multiple rules vs. multiport match, Jan Engelhardt

Indexes:

[Date] [Thread] [Top] [All Lists]