--On March 12, 2006 2:29:09 PM +0100 martin f krafft <madduck@debian.org> wrote:
also sprach Michael Loftis <mloftis@modwest.com> [2006.03.12.1159 +0100]:The only thing I can say is be *VERY* careful on a busy Linux box. iptables sucks. It's sequential, meaning every entry in a list has to be processed.This is not the case. You can branch iptables rulesets to arbitrary complexity. In fact, I often wanted Firewall-1 to have a similar feature. Firewall-1 scales pretty damn well (4 Gbps throughput, stateful), but in my experience, iptables can handle way more.
Yes you can make arbitrarily deep jumps/chains, but any single list is still processed sequentially. Once could probably implement scripting to produce a sort of binary tree on hashes/jumps to chains. Fact is it does not do long lists well at all because they are processed sequentially, unless this has changed for 2.6.
I'd love to see a Linux box capable of 4Gbps throughput but somehow I really doubt this as being possible without a LOT more work, and some pretty trick hardware.
Linux iptables definitely has more flexibility than anything else out there right now, I'll certainly give it that hands down. Long lists thoguh (atleast in 2.4) and it falls flat. We once tried doing blocking on the mail servers for dictionary attempts and some other nasties on SMTP, but that didn't last long mostly because even just jumping to process SYN packets on the list it still ate up a lot of the system's horsepower. These lists were pretty long (1500-2000 hosts) but still.