Re: iptables -A or iptables -I?

To: debian-firewall@lists.debian.org
Subject: Re: iptables -A or iptables -I?
From: Christoph Haas <email@christoph-haas.de>
Date: Wed, 20 Oct 2004 08:54:29 +0200
Message-id: <[🔎] 20041020065429.GA19136@workaround.org>
Mail-followup-to: Christoph Haas <email@christoph-haas.de>, debian-firewall@lists.debian.org
In-reply-to: <[🔎] 417543EF.4070105@gmx.net>
References: <[🔎] 417543EF.4070105@gmx.net>

On Tue, Oct 19, 2004 at 06:42:23PM +0200, Martin G.H. Minkler wrote:
> Just out of curiosity - which is faster (what kind of datastructure does 
> iptables use)?
> 
> a) iptables -A <chain> <rule>
> b) iptables -I <chain> 1 <rule>
> 
> Maybe this is rather a kernelspace question and should be directed to 
> that mailing list?

I attended a speach of one of the netfilter programmers at the LinuxTag
last year. He said that the what makes the shell command "iptables" slow
is that the whole rules table is copied out of the kernel space, a rule
gets added and the whole rules table is written back. They plan to
change that in the future so that iptables can directly change the
kernel space.

So whatever the exact data structure is - copying the whole rules table
twice will surely waste more time than optimizing linked lists or insert
vs. append. :)

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--                3,41         All

Reply to:

Follow-Ups:
- Re: iptables -A or iptables -I?
  - From: Rainer Nagel <rainer.nagel@freenet-rz.de>

References:
- iptables -A or iptables -I?
  - From: "Martin G.H. Minkler" <dukeofnukem@gmx.net>

Prev by Date: Re: Optimizing Kernel for huge iptables ruleset
Next by Date: Re: Mail Delivery (failure jkhoo@macsense.com.au)
Previous by thread: Re: iptables -A or iptables -I?
Next by thread: Re: iptables -A or iptables -I?
Index(es):
- Date
- Thread